[XRAY-7486] XSS on Document Generator template description - Xblend Issue Tracker

Xporter

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: None
Fix Version/s: 4.3.1
Component/s: Document Generator, Security
Labels:
- security_vulnerability_medium

Sprint:
XRAYSERVERDG 2021 SPRINT 6
Requirement Status:
OK
- 1

Description

Xray is vulnerable to XSS by injecting malicious javascript on the template description.

Steps to reproduce:

Add malicious javascript to the template description
```
"><img src=x onerror=javascript:alert(1)>
```

Go to an issue and click on Xray Document Generator dialog to export a single issue
Hover the question mark and the javascript will run

Remediation steps: Sanitize template description

Attachments

Activity

People

Assignee:: Andre Fernandes Rodrigues

Reporter:: Paulo Alves

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 13/Apr/21 11:32 AM

Updated:: 24/May/21 11:57 AM

Resolved:: 10/May/21 4:40 PM

Time Tracking

Estimated:

Not Specified

Remaining:

0m

Logged:

2h 30m