Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-46732

Persistent XSS in Username field

XMLWordPrintable

      NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

      The XSS vulnerability is only present in some parts of the UI where the username is incorrectly marked as "safe" for HTML output.

      Known vulnerability points:

      • When viewing a user's activity stream on their profile page
      • When viewing the site-wide activity stream in the Administrative UI

      This vulnerability was introduced when Atlassian ID was integrated with Answers. Previously, local-based user accounts had their usernames scrubbed before saving in the database.

              jclark@atlassian.com Joe Clark
              jclark@atlassian.com Joe Clark
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: