XSS vulnerability in space key, particularly with decorators off

XMLWordPrintable

    • 6

      NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report.

      As discovered while looking at CONF-20667, Confluence stores the space key unencoded in a content tag. Considerable functionality relies on this content tag. Eg Doc Theme breaks without it. Themes choice breaks without it.

      To exploit it, create a user with html in the login name, then create a personal space as that user. Finally, use a decorator=none request param when viewing a page to see the content tags.

      There are actually a few places that the space key isn't encoded, so removing the ability to pass "decorator=none" is probably not a complete fix.

        1.
        		 Investigate proper solution for this problem Sub-task Closed Unassigned

        0%
        Original Estimate - 16h
        Remaining Estimate - 16h

            Assignee:
            Chii (Inactive)
            Reporter:
            Don Willis
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 16h
                16h
                Remaining:
                Remaining Estimate - 16h
                16h
                Logged:
                Time Spent - Not Specified
                Not Specified