You can create a space with HTML in the name. In most places this space name is correctly encoded however in the tree component given when you chose to move a page the destination space is name is not encoded properly.

      To reproduce.
      1) Create a space called <script>alert("Howdy");</script>
      2) Create a page in another space
      3) Move this new page, chosing the previously created space as the destination
      4) You'll get a friendly 'Howdy' alert.

      Because permissions can be set such that any user has space create permission this is a slightly greater problem than it might originally sound.

        1. screenshot1.png
          49 kB
          Paul Curren
        2. patch_2.10.x.zip
          6 kB
          David Taylor
        3. patch_3.0.zip
          6 kB
          David Taylor

            [CONFSERVER-16019] XSS vulnerability when moving page between spaces

            Katherine Yabut made changes -
            Workflow Original: JAC Bug Workflow v3 [ 2890436 ] New: CONFSERVER Bug Workflow v4 [ 3000742 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow v2 [ 2803050 ] New: JAC Bug Workflow v3 [ 2890436 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow [ 2734411 ] New: JAC Bug Workflow v2 [ 2803050 ]
            Owen made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2399820 ] New: JAC Bug Workflow [ 2734411 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 2298832 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2399820 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2233522 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 2298832 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2194917 ] New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2233522 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 1926006 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2194917 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v3 [ 1727909 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 1926006 ]
            Katherine Yabut made changes -
            Workflow Original: CONF Bug Subtask WF (TEMP) [ 1684379 ] New: Confluence Workflow - Public Facing - Restricted v3 [ 1727909 ]

              pcurren Paul Curren
              pcurren Paul Curren
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: