[CONFSERVER-46695] XSS Vulnerability in About Me field

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: None
Affects Version/s: No-Version
Component/s: Apps - Confluence Questions
Labels:

Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

Steps to reproduce:

In id.atlassian.com, add to your About me:

<script>console.log(' +++++ Hi Dennis ++++++');</script>

Save & check in your answers profile - the JS will appear in the browser console.

jclark@atlassian.com can you do me a favor and give every profile field an once-over?

relates to

CONFCLOUD-46695 XSS Vulnerability in About Me field

Closed

causes: ADM-40550 Failed to load

Form Name

Joe Clark added a comment - 02/Aug/2013 8:50 PM - edited

I've confirmed that the "about me" field is the only user profile field that is displayed with django's default HTML escaping disabled.

Joe Clark added a comment - 02/Aug/2013 8:50 PM - edited I've confirmed that the "about me" field is the only user profile field that is displayed with django's default HTML escaping disabled.

Assignee:: Joe Clark

Reporter:: Dennis Kromhout van der Meer (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 02/Aug/2013 12:15 AM

Updated:: 11/Oct/2018 8:48 AM

Resolved:: 19/Aug/2013 10:36 PM

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: Joe Clark added a comment - 02/Aug/2013 8:50 PM, Edited by Joe Clark - 02/Aug/2013 8:54 PM

Expand comment: Joe Clark added a comment - 02/Aug/2013 8:50 PM, Edited by Joe Clark - 02/Aug/2013 8:54 PM

People

Dates