Persistent XSS in Username field

XMLWordPrintable

    • Severity 3 - Minor

      NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

      The XSS vulnerability is only present in some parts of the UI where the username is incorrectly marked as "safe" for HTML output.

      Known vulnerability points:

      • When viewing a user's activity stream on their profile page
      • When viewing the site-wide activity stream in the Administrative UI

      This vulnerability was introduced when Atlassian ID was integrated with Answers. Previously, local-based user accounts had their usernames scrubbed before saving in the database.

            Assignee:
            Joe Clark
            Reporter:
            Joe Clark
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: