Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-28072

CSRF in the "configure custom field" Multi Checkboxes add new custom field option screen

    XMLWordPrintable

    Details

      Description

      The administration screen which facilitates the addition of new custom field options is vulnerable to csrf, as it does not check that the atl_token submitted is in fact legitimate for the user submitting it (you can put in any value for the token field).

      To access this screen you can go to a url similar to the following ( it is linked off the issue custom fields administration page (/secure/admin/ViewCustomFields.jspa) ):

      http://$host/secure/admin/EditCustomFieldOptions!default.jspa?fieldConfigSchemeId=10300&fieldConfigId=10300&customFieldId=10200&returnUrl=ConfigureCustomField!default.jspa%3FcustomFieldId%3D10200

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              edalgliesh Eric Dalgliesh (public name)
              Reporter:
              dblack David Black
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: