Miscellaneous support-related JSPs contain XSS holes

Type atlassian
Reporter andreask@atlassian.com
Modified 2017-02-17T06:17:00


JIRA contains a number of support related JSPs that have been added over the years. They were mostly for fighting spam and other support related tasks. Unfortunately none of these were ever tested very much and contain a lot of XSS holes. They are: groupnames.jsp indexbrowser.jsp classpath-debug.jsp viewdocument.jsp cleancommentspam.jsp plugin-bundles.jsp

They should all be removed from JIRA unless we make a concentrated effort on integrating the functionality that they provide into the product!