XSS Attack Prevention


We’ve detected a possible security issue in SonarQube.

Repro steps:

  1. Go to Administration > Configuration > General Settings.

  2. Enter in “About page text” field: aaabbb

  3. Go to about page. JavaScript message is shown.

  • which versions are you using (SonarQube
  • what are you trying to achieve (Deploy a SonarQube PoC environment to evaluate SonarQube services)

Does SonarQube implement XSS Attack Prevention at code level?


Thanks for taking the time to report this. In fact, it was identified previously through our own testing procedures, but since only SonarQube administrators can set this property we’ve determined that as a practical matter it’s not a risk. Does this make sense?


Hi Ann,

Thank so much for replying. Yeah, it makes sense for me.


Hi, I fail to see how this is practical as this can be abused by attackers.

Also I wonder if there is a (responsible) disclosure workflow as vulnerabilities should not be discussed in the public normally.


That’s a valid point. We have a responsible disclosure workflow for SonarSource’s customers and we will adapt it to make it available for community users.
I will come back to this thread once it is published.


Hello @DanielRuf,

Our Responsible Vulnerability Disclosure policy has been published.