XSS in /secure/admin/AssociateProjectRepPath!default.jspa

XMLWordPrintable

    • 7.5

      fromScreen is passed unfiltered into the results page. Contents of the field persist through the "missing XSRF token" screen, so exploitation is trivial - just get your victim to click on the link without a token.

      GET /secure/admin/AssociateProjectRepPath!default.jspa?projectId=10000&fromScreen="><script>alert(1)</script>
      

      Response

      
                  <input type='submit' accesskey="s" value="Submit" />&nbsp;
                  <input type='button' accesskey="`" value="Cancel"
                                           onclick="window.location = '/secure/admin/ViewFishEyeConfig.jspa';"
                                    />
                  <input type='hidden' name="submitted" value="true" />
                  <input type='hidden' name="projectId" value="10000" />
                   <input type="hidden" name="fromScreen" value=""><script>alert(1)</script>" />         </center>
      

      The content appears in HTML attribute context and in HTML context, so "<" and quote itself have to be escaped.

      See fixing HOWTO at https://extranet.atlassian.com/display/SECCOUNCIL/HOWTO+-+Fixing+JIRA+Security+Issues

              Assignee:
              Eric Dalgliesh
              Reporter:
              VitalyA
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: