Cross-site Scripting (XSS) vulnerability in profile names
This is a vulnerability reported by the Madison Gurkha external blackbox test. This has to have been recently introduced as it's trivial to exploit and something I know myself and others have tested previously.
Proof-of-concept:
While editing a user profile, intercept the form submission using a tool like BurpSuite. Change the "user[name]" field to Appel<script>alert("XSS via name in profile")</script>
. Now when anyone tries to add a user to their project or assign an issue the script will execute.
I'd like to include a patch for this in the existing security release issue, as this is trivial to exploit.
Edited by Brian Neel