Project description is persistent XSS vector for project admins

2014-02-07T06:04:34
ID ATLASSIAN:JRA-36900
Type atlassian
Reporter andre.lehman@t-systems.com
Modified 2017-02-20T02:54:58

Description

This issue is a clone of another one that was fixed in OD but left unfixed in BTF as "admin xss". It has been pointed out by several customers that this exploit requires only project admin level of privilege.

The following project description:

{code} <script>alert(1)</script> {code}

Pops up in the view project page, the admin page for the project, etc.