[CONFSERVER-15970] XSS in user links

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 3.0.1
Affects Version/s: 3.0
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

A user with username "><script>alert("foo")</script> that is linked to via [~username] markup results in script being executed.

Curiously, viewing the space homepage of that user results in a blank page.

This of course is prevented for public signup, but if the user gets created via other means, i.e. external user management, or via admin control panel then this is a valid point of attack

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

CONF-15970-patches.zip
12/Aug/2009 1:25 AM
25 kB
Brian Nguyen

is caused by

CONFSERVER-15945 Inconsistent validation of usernames between admin-added and public signup

Closed

relates to

CONFSERVER-15920 User Hover is not working for a username which contains plus characters

Closed

Katherine Yabut made changes - 13/Nov/2018 4:44 AM

Workflow

Original: JAC Bug Workflow v3 [ 2884024 ]

New: CONFSERVER Bug Workflow v4 [ 2992251 ]

Owen made changes - 11/Oct/2018 8:48 AM

Workflow	Original: JAC Bug Workflow v2 [ 2787324 ]	New: JAC Bug Workflow v3 [ 2884024 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 29/Aug/2018 11:15 PM

Workflow

Original: JAC Bug Workflow [ 2718168 ]

New: JAC Bug Workflow v2 [ 2787324 ]

Owen made changes - 02/Jul/2018 6:53 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2380000 ]

New: JAC Bug Workflow [ 2718168 ]

Katherine Yabut made changes - 22/Jun/2017 6:47 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 2270932 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2380000 ]

Katherine Yabut made changes - 31/May/2017 5:32 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2216103 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 2270932 ]

Katherine Yabut made changes - 31/May/2017 4:55 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2167618 ]

New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2216103 ]

Katherine Yabut made changes - 31/May/2017 1:58 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 1925980 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2167618 ]

Katherine Yabut made changes - 03/Apr/2017 3:58 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v3 [ 1727901 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 1925980 ]

Katherine Yabut made changes - 28/Feb/2017 6:34 AM

Workflow

Original: CONF Bug Subtask WF (TEMP) [ 1684355 ]

New: Confluence Workflow - Public Facing - Restricted v3 [ 1727901 ]

Assignee:: Brian Nguyen (Inactive)

Reporter:: Chris Broadfoot [Atlassian]

Affected customers:: 0 This affects my team

Watchers:: 0 Start watching this issue

Created:: 29/May/2009 4:14 AM

Updated:: 11/Oct/2018 8:48 AM

Resolved:: 09/Jul/2009 6:06 AM

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

People

Dates