XSS vulnerability in invite-users-panel.vm [$i18n.getText('easyuser.send.invitations.email.placeholder', [$siteTitle]), line 37]

2013-03-06T01:06:54
ID ATLASSIAN:CONFSERVER-28383
Type atlassian
Reporter dblack
Modified 2018-10-11T08:37:15

Description

Panopticon (http://panopticon.dyn.syd.atlassian.com/) has detected that the following file contains a XSS vulnerability. This vulnerability has been manually confirmed.

File: confluence-plugins/confluence-bundled-plugins/confluence-easyuser-admin/src/main/resources/templates/invite-users-panel.vm Vulnerability: $i18n.getText('easyuser.send.invitations.email.placeholder', [$siteTitle]) [Evaluated as $i18n.getText('easyuser.send.invitations.email.placeholder', [$siteTitle])] Line number: 37

As at commit 62a3430ac100a46a5abb5f4279a7ffc942aa370b this area of the file was:

{code} <label id="invite-user-email-content-label" for="invite-user-email-content">$i18n.getText('easyuser.send.invitations.email.label')</label> <textarea id="invite-user-email-content" name="invite-user-email-content" rows="12" class="textarea long-field"#if (!$isSmtpConfigured) disabled="disabled" #end>$i18n.getText('easyuser.send.invitations.email.placeholder', [$siteTitle])</textarea> </div>

{code}


I have verified that an administrator (who does not have confluence system administrator privileges but does have confluence administrator privileges) can change the site title to something such that when an administrator visits the User management page (where the user's 'invite' message is shown) the xss payload in sitetitle is triggered.

Steps to reproduce this issue: 1. change the confluence site title to something like </textarea><script>alert(31);</script> 2. go to http://$CONFLUENCE/$CONTEXT_PATH/admin/users/inviteuser.action and notice that an alert dialogue with the number 31 is present in it.