ZenDesk ticket subject is an XSS vector in Activity Streams and View Issue in OnDemand

XMLWordPrintable

    • Type: Suggestion
    • Resolution: Fixed
    • Component/s: None
    • Environment:
      5.0 in OnDemand

      NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.

      1) Create a ZenDesk ticket with the subject '"><script>alert("test from zendesk")</script>
      2) Link to it from an OnDemand issue.
      3) Alert popups appear in both the View Issue page and anywhere the Activity Stream is shown.

      We can't reproduce this on our own test instances because we can't get the connector working at all, but it was observed on Customware's test instance:
      https://adzar.jira-dev.com/browse/UTEST-1

            Assignee:
            Unassigned
            Reporter:
            Penny Wyatt (On Leave to July 2021)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: