Uploaded image for project: 'Confluence Server'
  1. Confluence Server
  2. CONFSERVER-17933

User's Full Name is an XSS vector in Status Updates tab of User Profile

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Highest
    • Resolution: Fixed
    • Affects Version/s: 3.0
    • Fix Version/s: 3.1-rc3
    • Component/s: None
    • Environment:

      Server: CAC (3.1-rc2)
      Client: IE6/FireFox, WinXP

      Description

      A user's full name is an XSS vector when viewing the "Status Updates" tab of the user profile.

      1) Set a user's Full Name as "<script>alert(document.cookie)</script>".
      2) Log out.
      3) If anonymous access is disabled, log in as a different user, otherwise, continue as Anonymous.
      4) Go to the profile page for the user modified in step 1.
      5) Click the "Status Updates" tab.

      The script will execute twice:

          <div class="statuslist-wrapper">
              <h2 class="subheading">Status Updates for <script>alert(document.cookie)</script></h2>
              The status list for <script>alert(document.cookie)</script> is empty.
          </div>
      

      This does not reproduce when a user views his/her own profile page, as the user's full name is replaced by the word "Your".

        Attachments

        1. general-statuslist.vm
          0.8 kB
        2. statuslist.vm
          1 kB
        3. XSSStatusUpdates.png
          XSSStatusUpdates.png
          24 kB

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Last commented:
                9 years, 30 weeks ago