Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 6.2.1, 6.3-OD-1
Affects Version/s: 6.0.8
Component/s: None
Labels:
- affects-server
- cvss-high
- security
- xss

Introduced in Version:
6
CVSS Score:
6.5
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Steps to reproduce:

-Create a new issue type
-Add "><script>alert('Issue name')</script> as Issue name (mind the qoute at the beginning)
-Add "><script>alert('Issue desc')</script> as Issue Description
-Add /images/icons/issuetypes/genericissue.png "><script>alert('Issue icon')</script> as Issue Icon
-Make sure that this issue type is available on your project.
-Create a new issue
-Alerts, alerts everywhere.
-If you don't see the alerts, then click on the listbox.

So far this can be exploited on these fields : Issue Type icon/name, Priorities icon/name
These views seem to be affected: view issue, create/edit issue, detail view on list view, two dimensional filter statistic gadget (icon field)

I've been able to reproduce this on 6.08

Attachments

Issue Links

is cloned from: JDEV-27163 Loading...

Activity

People

Assignee:: Oswaldo Hernandez (Inactive)

Reporter:: SergioA

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 24/Jan/2014 1:21 AM

Updated:: 28/Mar/2019 12:12 AM

Resolved:: 18/Mar/2014 12:41 AM