Details
-
Bug
-
Resolution: Tracked Elsewhere
-
Medium
-
5.0.3
-
5
-
5
-
Description
Several REST web services are vulnerable to XSRF, allowing malicious web pages to execute them under the context of a logged in users browser.
It's understood that JIRA REST interfaces are typically protected against XSRF based on the content-type they consume. The following methods are vulnerable as they consume content types that can be submitted by a standard HTML form:
- MediaType.TEXT_PLAIN
- MediaType.MULTIPART_FORM_DATA
- MediaType.APPLICATION_FORM_URLENCODED
- MediaType.WILDCARD
The severity of these vulnerabilities vary from adding voters/voting on issues, to updating project and user avatars.
| Filename | Methods |
|---|---|
| FavouriteResource.java |
|
| IssueResource.java |
|
| JiraInlineActionResource.java |
|
| MessageHandlersResource.java |
|
| ProjectAvatarResource.java |
|
| ProjectCategoriesResource.java |
|
| ProjectResource.java |
|
| RenderersResource.java |
|
| UserResource.java |
|
| ValidationResource.java |
|
Attachments
Issue Links
- has requirement
-
SCT-299 Loading...
