You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@allura.apache.org by Dave Brondsema <da...@brondsema.net> on 2019/06/18 14:57:25 UTC

[allura:tickets] #8303 CVE-2019-10085: XSS on user autocomplete

- **private**: Yes --> No



---

** [tickets:#8303] CVE-2019-10085: XSS on user autocomplete**

**Status:** closed
**Milestone:** v1.11.0
**Created:** Mon Jun 10, 2019 02:18 PM UTC by Dave Brondsema
**Last Updated:** Mon Jun 17, 2019 03:19 PM UTC
**Owner:** Dave Brondsema


Via security@apache.org report

> ...
> 
> 3\. Go to http://localhost:8080/auth/preferences/ and set
> "<script>confirm(1)</script>" (without the quotes) as your Display Name
> under Preferences / General Settings. Save.
> 
> 4\. As test-user, create a new Project. Let's assume the URL for the
> project is http://localhost:8080/p/abc
> 
> 5\. For that Project, go to http://localhost:8080/p/abc/tickets/new/
> 
> 6\. In the Owner dropdown on the Create Ticket page, type the letter "s"
> 
> ...


---

Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.