User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:184.108.40.206) Gecko/20100401 Firefox/3.6.3 Build Identifier: Both the GET and POST variables "lhs" are affected: https://hudson.mozilla.org/projectRelationship?rhs=on&lhs=%22%20%3E%3C/input%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E&Submit=Compare Reproducible: Always
mcoates has had luck in the past filing bugs at hudson's tracker
Status: UNCONFIRMED → NEW
Ever confirmed: true
This issue still hasn't been patched and it can be used to obtain authentication credentials.
This slipped a bit. Bug filed with Hudson. We are on an old version, the solution might be just to update. http://issues.hudson-ci.org/browse/HUDSON-8804
hudson.mozilla.org points to jenkins.mozilla.org. i have tested this and it doesn't happen anymore.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
You need to log in before you can comment on or make changes to this bug.