Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-13584

Logging event information is not HTML encoded in 500 error page

    XMLWordPrintable

Details

    Description

      The Confluence 500 error page lists logging events generated during the request the produced the 500 error page. The strings rendered from this event are not HTML encoded, leaving open a chance for an attacker to exploit this via XSS. I haven't yet investigated to see whether this is actually possible or not, but we should just encode the strings to be sure.

      Attachments

        Activity

          People

            alynch Andrew Lynch (Inactive)
            christopher.owen@atlassian.com Christopher Owen [Atlassian]
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: