Cross Site Scripting vulnerabilities in Pickers

XMLWordPrintable

      Currently, the confluence picker does not sanitize the input ( <crowd-url>/crowd/console/secure/pickers/displayPicker.action).

      Proof of concept.

      1. Access the following URL in your browser with javascript enabled. Replace the <crowd-url> with your crowd URL.

        <crowd-url>/crowd/console/secure/pickers/displayPicker.action?searchURL=%3E%22%27%3E%3Cscript%3Ealert%2899%29%3C%2Fscript%3E&actionURL=%3E%22%27%3E%3Cscript%3Ealert%2899%29%3C%2Fscript%3E&actionName=%3E%22%27%3E%3Cscript%3Ealert%2899%29%3C%2Fscript%3E&initialMessage=%3E%22%27%3E%3Cscript%3Ealert%2899%29%3C%2Fscript%3E&finalURL=%3E%22%27%3E%3Cscript%3Ealert%2899%29%3C%2Fscript%3E

      2. You will see the following alert:

        1. sample.png
          3 kB
          Jing Hwa Cheok

              Assignee:
              joe
              Reporter:
              Jing Hwa Cheok (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: