The Highlight Search Results plugin, made by codecentric AG has a cross-site scripting leak. Wonder how these add-ons are tested before they appear in the market place?
Our security testing team assesses each new add-on before we start using it and was able to use cross-scripting in this plugin.
Hello Hans,
our security team is investigating right now and we'll fix this issue as soon as possible.
To address the affected customers, we additionally reported a security incident to Atlassian.
Thank you again for letting us know.
Best regards
Sascha (codecentric AG)
OK, thanks.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
A quick update from our side:
There was indeed a XSS vulnerability, where encoded script code on a page could be activated by navigating to that page after a search with highlighted search terms. A direct script injection was never possible though.
We released a fix last week.
Best regards
Sascha
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.