XSS in Issue Collector

2012-11-05T10:10:54
ID ATLASSIAN:JRASERVER-30363
Type atlassian
Reporter crolack
Modified 2017-02-20T00:46:25

Description

Hi Atlassian!

There is a XSS vulnerability in the issue collector:

File: /atlassian-jira-5.1.8-source/jira-issue-collector-plugin/src/main/resources/templates/view-collector.vm Line 82: <td class="nav summary"><a href="${baseurl}/browse/${issue.key}">${issue.summary}</a>

Anonymous users can inject JS in the issue summary which usually will be executed by users with extended permissions.

Best regards, Conrad