Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

Cross-Site Scripting leak in Highlight Search Result

Deleted user January 26, 2020

The Highlight Search Results plugin, made by codecentric AG has a cross-site scripting leak. Wonder how these add-ons are tested before they appear in the market place?

 

Our security testing team assesses each new add-on before we start using it and was able to use cross-scripting in this plugin.

1 answer

0 votes
Sascha Novakovic
Contributor
January 27, 2020

Hello Hans,

our security team is investigating right now and we'll fix this issue as soon as possible.

To address the affected customers, we additionally reported a security incident to Atlassian.

Thank you again for letting us know.

Best regards
Sascha (codecentric AG)

Deleted user January 29, 2020

OK, thanks. 

Sascha Novakovic
Contributor
February 12, 2020

A quick update from our side:

There was indeed a XSS vulnerability, where encoded script code on a page could be activated by navigating to that page after a search with highlighted search terms. A direct script injection was never possible though.

We released a fix last week.

Best regards
Sascha

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events