Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-15733

XSS bug on ViewProfile page

    XMLWordPrintable

Details

    Description

      The ViewProfile page contains an XSS bug. I believe this has to do with the new profile code not HTML escaping its output.

      Set the username: Thomas <script>alert(1)</script>

      -->output:

      <td bgcolor="#f0f0f0" colspan="2">
      <h3 class="formtitle">
      User Profile : Thomas"<script>alert(1)</script>
      </h3>
      </td>

      Attachments

        Activity

          People

            andreask@atlassian.com Andreas Knecht (Inactive)
            anton@atlassian.com AntonA
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 2h
                2h