Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-17933

User's Full Name is an XSS vector in Status Updates tab of User Profile

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Highest
    • 3.1-rc3
    • 3.0
    • None

    • Server: CAC (3.1-rc2)
      Client: IE6/FireFox, WinXP

    Description

      A user's full name is an XSS vector when viewing the "Status Updates" tab of the user profile.

      1) Set a user's Full Name as "<script>alert(document.cookie)</script>".
      2) Log out.
      3) If anonymous access is disabled, log in as a different user, otherwise, continue as Anonymous.
      4) Go to the profile page for the user modified in step 1.
      5) Click the "Status Updates" tab.

      The script will execute twice:

          <div class="statuslist-wrapper">
        <h2 class="subheading">Status Updates for <script>alert(document.cookie)</script></h2>
        The status list for <script>alert(document.cookie)</script> is empty.
    </div>

      This does not reproduce when a user views his/her own profile page, as the user's full name is replaced by the word "Your".

      Attachments

        1. general-statuslist.vm
          0.8 kB
        2. statuslist.vm
          1 kB
        3. XSSStatusUpdates.png
          XSSStatusUpdates.png
          24 kB

        Activity

          People

            alynch Andrew Lynch (Inactive)
            pwyatt Penny Wyatt (On Leave to July 2021)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: