Persistent XSS in the removepage.action page through the title of the parent page being deleted

Type atlassian
Reporter dblack
Modified 2017-02-17T05:47:10


The parent title of a confluence page is not html encoded when displayed in removepage.action this results in a persistent XSS vector.

Steps to reproduce: 1. Add a page with a title of "" <script>alert(3);</script> 2. from the Add menu select "Add page" (so it is a child of the first page) 3. save the new page (child) 4. on the child page - from the tools menu select "remove" 5. see an alert dialogue with the number 3 in it.