Links from indexbrowser.jsp are vulnerable to XSS attacks

2009-10-09T01:02:09
ID ATLASSIAN:CONFSERVER-17165
Type atlassian
Reporter mhrynczak
Modified 2018-10-11T09:00:32

Description

[CONF-16888] has introduced or re-introduced an XSS vulnerability.

To reproduce:

  • Create a new user, and for the Full Name use: {noformat}<script>alert('Vulnerable')</script>{noformat}
  • Go to ../admin/indexbrowser.jsp and find the entry
  • Click on the entry, and the script is executed.

This also happens for other content types.