Persistent Cross Site Scripting Flaw in User Profiles

Type atlassian
Reporter admin+bugs1
Modified 2017-03-01T02:51:17


A persistent cross site scripting flaw exists in user profiles when the user updates his/her Homepage URL from the Atlassian ID system to contain an XSS vector which executes when inserted as a link, and clicked on by the victim.

  1. Visit
  2. Update your Homepage URL to something like "javascript:alert(document.cookie);" and then submit the changes
  3. Return to your profile on and see reflected changes to Homepage URL on profile.


I have also emailed to inform them of unvalidated input on Atlassian's main profile system ( as I feel that by validating that a user indeed puts in a URL, will prevent flaws such as this one.