The version of jQuery in use is vulnerable to several issues

XMLWordPrintable

    • Severity 2 - Major

      Similar to JRASERVER-43422, the version of jQuery used (currently version 2.1.4) is vulnerable to jQuery issue 2432 (3rd party $.get() auto executes if content type is text/javascript) and 11974 (parseHTML executes inline scripts like event handlers). Actual exploitation / impact to Bitbucket Server depends upon if & how the vulnerable code paths are used.

      On a related note, http://research.insecurelabs.org/jquery/test/ can be used to check jQuery versions for issues.

            Assignee:
            Michael McGlynn (Inactive)
            Reporter:
            David Black
            Votes:
            1 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated:
              Resolved: