Details
-
Bug
-
Resolution: Fixed
-
Highest
-
4.2.11
-
None
-
fireball-164 – confluence 4.3-RC1 (apparently)
-
7.5
-
Description
There is a reflected xss flaw in the settings.action of dailysummary settings.action as the username parameter is not html encoded before being rendered on the page.
Here is an example of a reflected xss (it adds a picture of a lolcat to the page).
Attachments
Issue Links
- is caused by
-
CONFSERVER-15548 The i18n in velocity templates does not auto html encode parameters
- Closed