Details
-
Bug
-
Resolution: Fixed
-
Highest
-
6.1.2
-
6.01
-
6.5
-
Description
Hi,
I found a persistent XSS vulnerability when attaching a file to an issue.
The steps to reproduce are the following :
- Attach a file to an issue. Its name must contain "<script>alert('XSS')</script>". I used a python script to do that.
- Browse to the issue and open the ALL tab under activity. A popup should appear.
See the attachment for the result.
Attachments
Issue Links
- Testing discovered
-
JRASERVER-36204 Attachment data-download-url field in href shows ${attachment.mimetype} if unknown mimetype
- Closed
- mentioned in
-
Page Loading...