The Highlight Search Results plugin, made by codecentric AG has a cross-site scripting leak. Wonder how these add-ons are tested before they appear in the market place?
Our security testing team assesses each new add-on before we start using it and was able to use cross-scripting in this plugin.
our security team is investigating right now and we'll fix this issue as soon as possible.
To address the affected customers, we additionally reported a security incident to Atlassian.
Thank you again for letting us know.
Sascha (codecentric AG)
A quick update from our side:
There was indeed a XSS vulnerability, where encoded script code on a page could be activated by navigating to that page after a search with highlighted search terms. A direct script injection was never possible though.
We released a fix last week.
Hey there, folks! For most of us, the past six months- yes, you read that right- have been a journey. More people than ever before have pivoted to working remotely, and navigating being on-scre...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events