[CONFSERVER-11027] XSS vulnerabilities in create/edit/copy page and blogpost actions - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Medium
Resolution: Fixed
Affects Version/s: 2.1.5, 2.2.10, 2.3.3, 2.4.5, 2.5.8, 2.6.2, 2.7.2
Fix Version/s: 2.7.3
Component/s: None
Labels:
- affects-server
- security

Bug Fix Policy:
View Atlassian Server bug fix policy

Description

The following create/edit page URL's are vulnerable:

/pages/createpage.action
/pages/docreatepage.action
/pages/editpage.action
/pages/doeditepage.action

on parentPageString, mode, labelsString, captchaId

The following create/edit blogpost URL's are vulnerable:

/pages/createblogpost.action
/pages/docreateblogpost.action
/pages/editblogpost.action
/pages/doeditblogpost.action

on mode, labelsString, title, captchaId

The following copy page URL's are vulnerable:

/pages/copypage.action
/pages/docopypage.action

on parentPageString, mode, labelsString, captchaId

The following comment action URL's are vulnerable:

pages/addcomment.action
pages/doaddcomment.action

on mode and captchaId

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

Attachments

createblogpost-form.vm
3 kB
11/Mar/2008 11:30 PM
macros.vm
123 kB
11/Mar/2008 11:31 PM
page-labels-form.vm
3 kB
11/Mar/2008 11:30 PM
page-location-form.vm
4 kB
11/Mar/2008 11:30 PM
wiki-textarea.vm
27 kB
11/Mar/2008 11:31 PM

Issue Links

has a regression in

CONFSERVER-11985 XSS vulnerability in create/edit/copy page and blogpost actions

Closed

Activity

People

Assignee:: Chris Broadfoot [Atlassian]

Reporter:: dave (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 11/Mar/2008 5:24 AM

Updated:: 11/Oct/2018 9:02 AM

Resolved:: 11/Mar/2008 11:36 PM