XSS when adding Stash Linked Repositories

2014-07-22T05:05:44
ID ATLASSIAN:BAM-14811
Type atlassian
Reporter mszczepanski
Modified 2019-08-19T02:02:54

Description

Stash server title in the "Stash server" dropdown is not being escaped and if it contains a script tag that script will be eval'd.

Our Stash QA test data has the server title "Welcome to <script>alert(666)</script> Long Ståш Title with [...]" which causes the "666" to alert when the "Add repository" button is clicked from the Linked Repos page (http://mszczepanski.local:8085/bamboo/admin/configureGlobalRepositories!default.action).