-
Bug
-
Resolution: Fixed
-
Medium
-
6.9.0
-
1
-
Severity 3 - Minor
-
Summary
System Administrator is allowed to input JS/CSS in Macro Title and Icon URL in Macro Editor. The script input in the fields can be executed when user open "Macro" selection window.
How to reproduce
- Go to "Edit User Macro" as Confluence Administrator.
- Input "'"><img src=x onerror=alert(1)>" in Macro Title field.
- Input "http'"><img src=x onerror=alert(3)>" in Icon URL field.
- Click save.
- Go to a certain page to edit.
- In edit UI, Select "+" then select "... Other Macros".
- Popups appear as alert(1) and alert(3) as set.
Expected
- JS/CSS should not be allowed in Macro Title and Icon URL.
[CONFSERVER-55918] XSS in User Macros, Macro Title and Icon URL
| Workflow | Original: JAC Bug Workflow v3 [ 2883182 ] | New: CONFSERVER Bug Workflow v4 [ 3005522 ] |
| Workflow | Original: JAC Bug Workflow v2 [ 2791331 ] | New: JAC Bug Workflow v3 [ 2883182 ] |
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: Waiting for Release [ 12075 ] | New: Resolved [ 5 ] |
| Fix Version/s | New: 6.10.1 [ 80901 ] |
| Workflow | Original: JAC Bug Workflow [ 2718438 ] | New: JAC Bug Workflow v2 [ 2791331 ] |
| Symptom Severity | Original: Minor [ 14432 ] | New: Severity 3 - Minor [ 15832 ] |
| Labels | Original: lbp lbp-bugfix no-cvss-required platform-bugfix security | New: lbp lbp-bugfix no-cvss-required security |
| Labels | Original: lbp no-cvss-required platform-bugfix security | New: lbp lbp-bugfix no-cvss-required platform-bugfix security |
| Labels | Original: lbp no-cvss-required platform platform-bugfix security | New: lbp no-cvss-required platform-bugfix security |
| Labels | Original: no-cvss-required platform platform-bugfix security | New: lbp no-cvss-required platform platform-bugfix security |
