XSS in page editor via Shortcut links

2014-10-20T20:42:27
ID ATLASSIAN:CONF-35327
Type atlassian
Reporter michal.marek
Modified 2017-02-17T04:29:41

Description

Steps to reproduce: 1. add new shortcuts with default alias like "<img src=x onerror=alert(1)>". 2. by typing [searchterms@alias_name] in page editor you can trigger XSS

By replacing existing shortcut with malicious one, we can easily exploit multiple users using this functionality.