[CONFSERVER-17165] Links from indexbrowser.jsp are vulnerable to XSS attacks - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Highest
Resolution: Fixed
Affects Version/s: 2.5
Fix Version/s: 3.1-m7
Component/s: Search - Core
Labels:

Priority for beta phase:
5
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

~~CONF-16888~~ has introduced or re-introduced an XSS vulnerability.

To reproduce:

Create a new user, and for the Full Name use:
```
<script>alert('Vulnerable')</script>
```
Go to ../admin/indexbrowser.jsp and find the entry
Click on the entry, and the script is executed.

This also happens for other content types.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

Attachments

viewdocument.jsp
2 kB
26/Nov/2009 12:38 AM

Issue Links

is caused by

CONFSERVER-16888 indexbrowser.jsp displays documents but links to details display nothing

Closed

Activity

People

Assignee:

Anatoli Kazatchkov

Reporter:

Mark Hrynczak

Participants:

Anatoli Kazatchkov, Brian Nguyen, Don Willis, Giles Gaskell [Atlassian], Mark Hrynczak, Penny Wyatt, Per Fragemann [Atlassian]

Last Touched By:

Katherine Yabut

Reviewers:

Brian Nguyen, Penny Wyatt

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

09/Oct/2009 1:02 AM

Updated:

11/Oct/2018 9:00 AM

Resolved:

29/Nov/2009 11:10 PM

Last commented:

9 years, 30 weeks ago