[CONFSERVER-11002] viewuser.action has an XSS problem around username - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 2.7.3
Affects Version/s: 2.1.5, 2.2.10, 2.3.3, 2.4.5, 2.5.8, 2.6.2, 2.7.2
Component/s: None
Labels:
- affects-server
- security

Bug Fix Policy:
View Atlassian Server bug fix policy

Steps to reproduce:

create a user with username: foo"><script>alert('hello');</script><span class="ff
you should get an alert when you are redirected to viewuser.action to view the user you just created.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

viewuser.vm
17/Mar/2008 6:17 AM
7 kB
Chris Broadfoot [Atlassian]

relates to

CONFSERVER-7615 XSS bug: usernames not HTML-encoded in all places

Closed

Assignee:: Chris Broadfoot [Atlassian]

Reporter:: dave (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 0 Start watching this issue

Created:: 10/Mar/2008 4:44 AM

Updated:: 11/Oct/2018 8:40 AM

Resolved:: 17/Mar/2008 7:02 AM