'self' xss reported in a question's moderate

XMLWordPrintable

    • Severity 3 - Minor

      NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report.

      We have received an external report of a dom xss in the moderation code for a question on answers.atlassian.com.

      1) DOM XSS

      Go to https://answers.atlassian.com/
      Prepare an question ,after savin it go to the question ,there is an option of "Moderate" ,click it ,there is an option to "Create bounty" select that , and in the input box which appears enter
      '"><iframe/onload=prompt(document.cookie);>
      and press ok and alert will come immediately !!

      This issue would require some social engineering exploit through perhaps clickjacking and tricking a user into XSS'ing themselves on answers.atlassian.com.

              Assignee:
              eternicode
              Reporter:
              David Black
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: