Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-55918

XSS in User Macros, Macro Title and Icon URL

XMLWordPrintable

      Summary

      System Administrator is allowed to input JS/CSS in Macro Title and Icon URL in Macro Editor. The script input in the fields can be executed when user open "Macro" selection window.

      How to reproduce

      1. Go to "Edit User Macro"  as Confluence Administrator.
      2. Input "'"><img src=x onerror=alert(1)>" in Macro Title field.
      3. Input "http'"><img src=x onerror=alert(3)>" in Icon URL field.
      4. Click save.
      5. Go to a certain page to edit.
      6. In edit UI, Select "+" then select "... Other Macros".
      7. Popups appear as alert(1) and alert(3) as set.

      Expected

      • JS/CSS should not be allowed in Macro Title and Icon URL.

       

        1. Screen Shot 2018-06-14 at 17.27.45.png
          Screen Shot 2018-06-14 at 17.27.45.png
          531 kB
        2. Screen Shot 2018-06-14 at 17.31.31.png
          Screen Shot 2018-06-14 at 17.31.31.png
          762 kB

              xxu@atlassian.com Xinyi Xu (Inactive)
              d76fbf37b9ef 西谷完太
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: