Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-55918

XSS in User Macros, Macro Title and Icon URL

    XMLWordPrintable

Details

    Description

      Summary

      System Administrator is allowed to input JS/CSS in Macro Title and Icon URL in Macro Editor. The script input in the fields can be executed when user open "Macro" selection window.

      How to reproduce

      1. Go to "Edit User Macro"  as Confluence Administrator.
      2. Input "'"><img src=x onerror=alert(1)>" in Macro Title field.
      3. Input "http'"><img src=x onerror=alert(3)>" in Icon URL field.
      4. Click save.
      5. Go to a certain page to edit.
      6. In edit UI, Select "+" then select "... Other Macros".
      7. Popups appear as alert(1) and alert(3) as set.

      Expected

      • JS/CSS should not be allowed in Macro Title and Icon URL.

       

      Attachments

        Activity

          People

            xxu@atlassian.com Xinyi Xu
            d76fbf37b9ef 西谷完太
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: