Skip to first unread message
Dadisi Sanyika
Mar 22, 2017, 6:15:09 PM3/22/17
to SonarQube
# Proof of Concept
1. Log in to the application as an administrator at https://sonarqube-dev/sessions/new
2. Navigate to Administration > Security > Users.
3. Click Create User.
4. Enter a login and password and enter "<script>alert(1)</script>" as the name.
5. Click Create.
6. Navigate to Administration > Security > Groups.
7. View the members list for the sonar-users group and observe that an alert window containing the number 1 is displayed.
Fabrice Bellingard
Mar 23, 2017, 4:38:32 AM3/23/17
to Dadisi Sanyika, SonarQube
Hi Dadisi,
thanks a lot for reporting this issue. I do confirm the issue. It's not that critical because only admins can set the name of a user, but still we're going to fix it (SONAR-9003).
Best regards,
Fabrice BELLINGARD | SonarSource SonarQube & SonarLint Product Manager http://sonarsource.com |
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/032f3fa2-107d-49c1-9fcf-35be928f6e20%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages