• Type: Bug
• Resolution: Fixed
• Priority: Medium
• Fix Version/s: 6.10.1
• Affects Version/s: 6.9.0
• Component/s: Macros - Content by User
• Labels:

  • lbp
  • lbp-bugfix
  • no-cvss-required
  • security

1. 

   Screen Shot 2018-06-14 at 17.27.45.png

   531 kB

   14/Jun/2018 8:34 AM

2. 

   Screen Shot 2018-06-14 at 17.31.31.png

   762 kB

   14/Jun/2018 8:34 AM

[CONFSERVER-55918] XSS in User Macros, Macro Title and Icon URL

Collapse comment: Yumi Nakajima (Inactive) added a comment - 06/Aug/2018 2:53 AM

Yumi Nakajima (Inactive) added a comment - 06/Aug/2018 2:53 AM

This requires sysadmin privilege.

As a sysadmin already has permissions to do everything, there is no additional Confidentiality, Integrity or Availability impact.
But there's no reason to support scripts running as icons, so it's definitely a bug that should get fixed.

Expand comment: Yumi Nakajima (Inactive) added a comment - 06/Aug/2018 2:53 AM

Yumi Nakajima (Inactive) added a comment - 06/Aug/2018 2:53 AM This requires sysadmin privilege. As a sysadmin already has permissions to do everything, there is no additional Confidentiality, Integrity or Availability impact. But there's no reason to support scripts running as icons, so it's definitely a bug that should get fixed.