XMLWordPrintable

    Details

      Description

      The ViewProfile page contains an XSS bug. I believe this has to do with the new profile code not HTML escaping its output.

      Set the username: Thomas <script>alert(1)</script>

      -->output:

      <td bgcolor="#f0f0f0" colspan="2">
      <h3 class="formtitle">
      User Profile : Thomas"<script>alert(1)</script>
      </h3>
      </td>

        Attachments

          Activity

            People

            • Assignee:
              andreask@atlassian.com Andreas Knecht (Inactive)
              Reporter:
              anton@atlassian.com Anton Mazkovoi [Atlassian]
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 2h
                2h