[XPORTER-3494] Stored XSS in AuditLogs by User Name field value - Xblend Issue Tracker

Xporter

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: Release 5.7.0
Fix Version/s: 6.6.0
Component/s: Security
Labels:
- security_vulnerability_medium

Sprint:
JIRAXPORTER-2020 Sprint 1
Requirement Status:
OK
- 1

Description

Steps:

The attacker accesses his account and changes its name to an XSS payload
The attacker go to any issue, and from the "Xporter" section he exports the issue.
Now any Admin/Users go to AuditLogs_ the XSS Payload is reflected in the victim's browser

Attachments

Activity

People

Assignee:: Joao Goncalves [X] (Inactive)

Reporter:: Rui Rodrigues

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Due:: 24/Nov/20

Created:: 12/Oct/20 1:28 PM

Updated:: 19/Oct/20 10:20 PM

Resolved:: 16/Oct/20 11:51 AM

Time Tracking

Estimated:

0m

Remaining:

0m

Logged:

2h