XSS through user requested add-on names - CVE-2018-5229

Description

The NotificationRepresentationFactoryImpl class in Atlassian Universal Plugin Manager before version 2.22.9 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of user submitted add-on names.

Environment

None

Testing Notes

Add notes...

Security Policy

None

Assignee

Unassigned

Reporter

SecurityB

Team

None

QA Dev

None

Needs Doc

None

Peer Reviewer

None

Mgr Approver

None

CC

None

Product

None

App Key

None

DC app ready for review?

None

Fix versions

Affects versions

Priority

Major
Configure