Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-26342

There is a reflected xss flaw in the settings.action of dailysummary settings.action.

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Highest Highest
    • 4.3.2
    • 4.2.11
    • None
    • fireball-164 – confluence 4.3-RC1 (apparently)

      There is a reflected xss flaw in the settings.action of dailysummary settings.action as the username parameter is not html encoded before being rendered on the page.
      Here is an example of a reflected xss (it adds a picture of a lolcat to the page).

      https://wpad.jira-dev.com/wiki/plugins/dailysummary/settings.action?setting=subscribe-to-recommended&value=false&token=&username=%22'x%3Cimg%20src=http://mintyferret.com/wp-content/uploads/2007/07/lolcat7.gif%3E

            [CONFSERVER-26342] There is a reflected xss flaw in the settings.action of dailysummary settings.action.

              dblack David Black
              dblack David Black
              Affected customers:
              0 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: