Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-13584

Logging event information is not HTML encoded in 500 error page

    XMLWordPrintable

    Details

      Description

      The Confluence 500 error page lists logging events generated during the request the produced the 500 error page. The strings rendered from this event are not HTML encoded, leaving open a chance for an attacker to exploit this via XSS. I haven't yet investigated to see whether this is actually possible or not, but we should just encode the strings to be sure.

        Attachments

          Activity

            People

            Assignee:
            alynch Andrew Lynch
            Reporter:
            christopher.owen@atlassian.com Christopher Owen [Atlassian]
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: