Uploaded image for project: 'Change Request Application'
  1. Change Request Application
  2. CRAPP-298

XSS through title of change request

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Blocker
    • 1.9.2
    • 0.11
    • None
    • None
    • Unknown

    Description

      It's possible to exploit the title of CR to perform injection.
      Reproduction step:

      • Create a new CR with a title {{/html asyncgroovy}}println("Hello from groovy!"){{/groovy/async}}
      • With admin user go to see that CR

      Expected result:

      • the title should not be executed

      Obtained result:

      • the title is executed in the sheet of the CR

      Attachments

        Issue Links

          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. CRAPP-64 Authors without edit rights should be able to edit title of CR

          • Major - Major loss of function.
          • Closed

          Activity

            People

              surli Simon Urli
              surli Simon Urli
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: