Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when:
- resolving or closing issues (bug_change_status_page.php) belonging to a project linking said custom field
- viewing issues (view_all_bug_page.php) when the custom field is displayed as a column
- printing issues (print_all_bug_page.php) when the custom field is displayed as a column
Impact
Cross-site scripting (XSS).
Patches
447a521
Workarounds
Ensure Custom Field Names do not contain HTML tags.
References
Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when:
Impact
Cross-site scripting (XSS).
Patches
447a521
Workarounds
Ensure Custom Field Names do not contain HTML tags.
References