[CONFSERVER-16136] XSS vulnerability can be exploited on the WebDAV Configuration page - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 3.0.1
Affects Version/s: 3.0
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Steps:

Go to WebDAV Configuration
Enter '<script>alert("XSS")</script>'
Click on 'Add new regex' button

The script will be executed. It will continue to be executed whenever a user clicks on the 'Save' button.

This can be done by users in the confluence-admin group, so it could be used by them to gain access to sys-admin actions.

Assignee:: David Taylor (Inactive)

Reporter:: Mark Hrynczak (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 0 Start watching this issue

Created:: 18/Jun/2009 7:00 AM

Updated:: 11/Oct/2018 9:02 AM

Resolved:: 20/Jul/2009 12:33 AM