Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-46732

Persistent XSS in Username field

XMLWordPrintable

      NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

      The XSS vulnerability is only present in some parts of the UI where the username is incorrectly marked as "safe" for HTML output.

      Known vulnerability points:

      • When viewing a user's activity stream on their profile page
      • When viewing the site-wide activity stream in the Administrative UI

      This vulnerability was introduced when Atlassian ID was integrated with Answers. Previously, local-based user accounts had their usernames scrubbed before saving in the database.

            [CONFSERVER-46732] Persistent XSS in Username field

            Katherine Yabut made changes -
            Workflow Original: JAC Bug Workflow v3 [ 2900962 ] New: CONFSERVER Bug Workflow v4 [ 2995732 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow v2 [ 2796714 ] New: JAC Bug Workflow v3 [ 2900962 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow [ 2728334 ] New: JAC Bug Workflow v2 [ 2796714 ]
            Owen made changes -
            Symptom Severity Original: Minor [ 14432 ] New: Severity 3 - Minor [ 15832 ]
            Owen made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2393363 ] New: JAC Bug Workflow [ 2728334 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 2283765 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2393363 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2224130 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 2283765 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2177725 ] New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2224130 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 1943102 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2177725 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v3 [ 1740337 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 1943102 ]

              jclark@atlassian.com Joe Clark
              jclark@atlassian.com Joe Clark
              Affected customers:
              0 This affects my team
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: