XSS when adding Stash Linked Repositories

XMLWordPrintable

      Stash server title in the "Stash server" dropdown is not being escaped and if it contains a script tag that script will be eval'd.

      Our Stash QA test data has the server title "Welcome to <script>alert(666)</script> Long Ståш Title with [...]" which causes the "666" to alert when the "Add repository" button is clicked from the Linked Repos page (http://mszczepanski.local:8085/bamboo/admin/configureGlobalRepositories!default.action).

        1. rce.jpg
          0.1 kB
          pnigos70173587117
        2. xxe.svg
          0.6 kB
          pnigos70173587117

              Assignee:
              Unassigned
              Reporter:
              Marcin (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: