Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-10810

User avatar can serve as an XSS vector

    XMLWordPrintable

Details

    Description

      This exploit can be seen from the My Bamboo Dashboard where the user's avatar is displayed.

      QA Notes

      Verify correct encoding of alternate text of user's avatar is encoded correctly on other places e.g. When a user submits code changes

      Steps to reproduce
      1. Create a user and set full name to be 
        <script>alert(666)</script>
      2. Login as user and navigate to My Bamboo dashboard - the script will execute

      Attachments

        Activity

          People

            bmccoy bmccoy
            jcorea JoeyA
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: