-
Bug
-
Resolution: Fixed
-
High (View bug fix roadmap)
-
6.0.3
-
None
-
6
-
7.5
-
The 'name' param in jira-components/jira-webapp/src/main/webapp/secure/admin/user/views/deleteuserconfirm.jsp is not sanitised, enabling arbitrary html/script execution.
A url to demonstrate this issue is: http://localhost:8080/secure/admin/user/DeleteUser!default.jspa?name=a"><script>alert(document.cookie);</script>&returnUrl=UserBrowser.jspa
- is duplicated by
-
JRASERVER-33678 Reflected XSS in JIRA Admin Panel (Delete User)
-
- Closed
-
- Is related to
-
ADM-40439 Failed to load
- mentioned in
-
Page Failed to load
.