Details
-
Bug
-
Resolution: Won't Fix
-
Low
-
None
-
5.0, 4.4.5, 6.0, 7.0.10
-
4.04
-
2
-
Severity 3 - Minor
-
Description
It is possible for the "Add Watcher" dialog on the view issue page to suggest a user that cannot watch the issue. The client will render an error saying the user cannot be added. JIRA should not show users that cannot be added.
- Restore JIRA QA data.
- Goto an issue XSS-21.
- Try and add "<script>alert(document.cookie)</script>" as watcher.
- (BUG) You will get an error saying that the user cannot see the issue.