[CONFSERVER-46732] Persistent XSS in Username field

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: None
Affects Version/s: No-Version
Component/s: Apps - Confluence Questions
Labels:

Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

The XSS vulnerability is only present in some parts of the UI where the username is incorrectly marked as "safe" for HTML output.

Known vulnerability points:

When viewing a user's activity stream on their profile page
When viewing the site-wide activity stream in the Administrative UI

This vulnerability was introduced when Atlassian ID was integrated with Answers. Previously, local-based user accounts had their usernames scrubbed before saving in the database.

relates to

CONFCLOUD-46732 Persistent XSS in Username field

Closed

causes: ADM-40550 Failed to load

There are no comments yet on this issue.

Assignee:: Joe Clark

Reporter:: Joe Clark

Affected customers:: 0 This affects my team

Watchers:: 3 Start watching this issue

Created:: 08/Aug/2013 5:20 PM

Updated:: 11/Oct/2018 9:07 AM

Resolved:: 19/Aug/2013 10:36 PM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates