XSS in FilterSubscription

2014-06-10T05:53:41
ID ATLASSIAN:JRA-38678
Type atlassian
Reporter tony.boyle
Modified 2017-02-20T02:56:30

Description

h4. To reproduce:

Visit:

{code:none} /secure/FilterSubscription!default.jspa?returnUrl=javascript:alert(1) {code}

Click "Cancel"

An alert should appear

This URL should be restricted to the current domain, and to http/https protocols.