Uploaded image for project: 'Confluence Server'
  1. Confluence Server
  2. CONFSERVER-55918

XSS in User Macros, Macro Title and Icon URL

    XMLWordPrintable

    Details

    • Symptom Severity:
      Severity 3 - Minor
    • Support reference count:
      1
    • Sprint:
      Ten, Eleven
    • QA Demo Status:
      Not Done
    • QA Kickoff Status:
      Not Done

      Description

      Summary

      System Administrator is allowed to input JS/CSS in Macro Title and Icon URL in Macro Editor. The script input in the fields can be executed when user open "Macro" selection window.

      How to reproduce

      1. Go to "Edit User Macro"  as Confluence Administrator.
      2. Input "'"><img src=x onerror=alert(1)>" in Macro Title field.
      3. Input "http'"><img src=x onerror=alert(3)>" in Icon URL field.
      4. Click save.
      5. Go to a certain page to edit.
      6. In edit UI, Select "+" then select "... Other Macros".
      7. Popups appear as alert(1) and alert(3) as set.

      Expected

      • JS/CSS should not be allowed in Macro Title and Icon URL.

       

        Attachments

          Activity

            People

            • Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Resolved:
                Last commented:
                14 weeks, 3 days ago