[TIME-261] XSS in JIRA Timesheet
Issue #261
resolved
Double-quote characters are not escaped in usernames on the Group Time Sheet gadget.
Quick way to reproduce:
1) Create a user with the username (not display name) of:
" onmouseover="alert(document.cookie)" blah="
2) Add it to a group and configure the Group Time Sheet gadget to use that group.
3) Mouseover the display name of the user in the gadget.
The generated HTML source is:
<a target="_parent" href="/secure/ConfigureReport.jspa?startDate=4/Apr/11&endDate=10/Apr/11 &targetUser=" onmouseover="alert(document.cookie)" blah="&reportKey=jira-timesheet-plugin:report &weekends=true&showUsers=false">evil</a>
By dbutler/Douglas Butler on Mon, 18 Jun 2012 03:43:19 -0700
Comments (2)
-
reporter
-
reporter
Fixed in 2.2.9 also.
Committed revision 168836.
By azhdanov on Sun, 15 Jul 2012 14:24:34 -0700
- Log in to comment
Fixed in the same 2.3.5, please re-install, note you may need to do 'find jira-webapp-dir -name jira-timesheet-plugin-2.3.5.jar | xargs rm" to clean up previous install.
Committed revision 168562.
Committed revision 168563.
Committed revision 168564.
Committed revision 168736.
By azhdanov on Tue, 19 Jun 2012 01:04:49 -0700