Filed by Vitaly Osipov [Atlassian] on behalf of Muhammad Waqar.
Works in Firefox.
note title and labelstring parameters need encoding.
Reflected XSS Vulnerability in the Feed Builder
Wiki Page Loading...
Note: Muhammad Waqar published this advisory without coordinating with us http://packetstormsecurity.com/files/122717/Atlassian-Confluence-5.3-Cross-Site-Scripting.html
this is because i received notification that bug has been fixed.
Muhammad Waqar From where did you receive this notification? This issue is still open as you can see.
yes i can see i had received it via email same as like other notifications are arriving.
Muhammad Waqar, This is interesting - according the history tab the state of this issue has never changed to resolved: https://jira.atlassian.com/browse/CONF-30240?page=com.atlassian.streams.streams-jira-plugin:activity-stream-issue-tab
Regardless of that, do you think that publishing an advisory without any coordination with the vendor is a good disclosure policy?
At First Look I thought issue might be fixed and so resulted in disclosure. Realized now that it might be tested then.
I will make sure that this won't happen again. Sorry for the Inconvenience.
Have a good day!
I have QA'ed remotes/origin/confluence-project-5.2-stable as being fixed.