XSS in User Macros, Macro Title and Icon URL

XMLWordPrintable

    • 1
    • Severity 3 - Minor

      Summary

      System Administrator is allowed to input JS/CSS in Macro Title and Icon URL in Macro Editor. The script input in the fields can be executed when user open "Macro" selection window.

      How to reproduce

      1. Go to "Edit User Macro"  as Confluence Administrator.
      2. Input "'"><img src=x onerror=alert(1)>" in Macro Title field.
      3. Input "http'"><img src=x onerror=alert(3)>" in Icon URL field.
      4. Click save.
      5. Go to a certain page to edit.
      6. In edit UI, Select "+" then select "... Other Macros".
      7. Popups appear as alert(1) and alert(3) as set.

      Expected

      • JS/CSS should not be allowed in Macro Title and Icon URL.

       

        1. Screen Shot 2018-06-14 at 17.27.45.png
          Screen Shot 2018-06-14 at 17.27.45.png
          531 kB
        2. Screen Shot 2018-06-14 at 17.31.31.png
          Screen Shot 2018-06-14 at 17.31.31.png
          762 kB

            Assignee:
            Xinyi Xu (Inactive)
            Reporter:
            西谷完太
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: