[CONFSERVER-26270] reflected xss in the pageId request parameter in 500page.jsp

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 4.3.2
Affects Version/s: 4.2.11
Component/s: None
Labels:
- affects-server
- cvss-high
- security
- xss

CVSS Score:
7.5
Bug Fix Policy:
View Atlassian Server bug fix policy

A scanner picked up that the pageId parameter in 500page.jsp is a potentially reflected xss bug. This can be exploited through a url like the following: https://example.com/pages/viewtrash.vm;editpage?pageId=%22%3E%3Cscript%3Ealert(1)%3C/script%3E

 


    <%
        String uri = (String)request.getAttribute("javax.servlet.error.request_uri");
        if(uri != null && uri.contains("editpage"))
        {
            String editDraft = context + "/pages/editpage.action?useDraft=true&pageId=" + request.getParameter("pageId");
            %>
            <div class="panel warning">
                <img id="draftNote" alt="" src="<%= context %>/images/icons/emoticons/warning.png">
                You can <a href="<%= editDraft %>">resume editing</a> the most recently saved draft of your page.
            </div>
        <% 
        }
    %>

Assignee:: David Black

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 3 Start watching this issue

Created:: 09/Aug/2012 3:15 AM

Updated:: 11/Oct/2018 9:00 AM

Resolved:: 25/Sep/2012 12:10 AM

Confluence Data Center

Details

Description

Attachments

Forms

Activity

People

Dates