-
Type:
Bug
-
Resolution: Fixed
-
Priority:
High
-
Component/s: None
-
6
1. Create a new group named "><script>alert("XSS")</script>
2. In the OnDemand administration section click Fisheye, then Configure to the right of the project name
This vulnerability is due to an unescaped group.name parameter in projectrepositorypermissions.vm
e.g. https://iceberg.jira-dev.com/secure/admin/ProjectRepositoryPermissions.jspa?repositoryKey=SCR
Note that this issue is about a different template to JRA-29686.