- **private**: Yes --> No
--- ** [tickets:#8303] CVE-2019-10085: XSS on user autocomplete** **Status:** closed **Milestone:** v1.11.0 **Created:** Mon Jun 10, 2019 02:18 PM UTC by Dave Brondsema **Last Updated:** Mon Jun 17, 2019 03:19 PM UTC **Owner:** Dave Brondsema Via secur...@apache.org report > ... > > 3\. Go to http://localhost:8080/auth/preferences/ and set > "<script>confirm(1)</script>" (without the quotes) as your Display Name > under Preferences / General Settings. Save. > > 4\. As test-user, create a new Project. Let's assume the URL for the > project is http://localhost:8080/p/abc > > 5\. For that Project, go to http://localhost:8080/p/abc/tickets/new/ > > 6\. In the Owner dropdown on the Create Ticket page, type the letter "s" > > ... --- Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
