Persistent Cross Site Scripting Flaw in User Profiles

2014-05-26T14:04:52
ID ATLASSIAN:CONF-46664
Type atlassian
Reporter admin+bugs1
Modified 2017-03-01T02:51:17

Description

A persistent cross site scripting flaw exists in user profiles when the user updates his/her Homepage URL from the Atlassian ID system to contain an XSS vector which executes when inserted as a link, and clicked on by the victim.

  1. Visit https://id.atlassian.com/profile/
  2. Update your Homepage URL to something like "javascript:alert(document.cookie);" and then submit the changes
  3. Return to your profile on answer.atlassian.com and see reflected changes to Homepage URL on profile.

!http://i.imgur.com/Sw5NCRg.png!

I have also emailed security@atlassian.com to inform them of unvalidated input on Atlassian's main profile system (id.atlassian.com) as I feel that by validating that a user indeed puts in a URL, will prevent flaws such as this one.