Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-39318

Escape or filter script tags in "all activity" panel

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Fix
    • Icon: Medium Medium
    • None
    • 6.2.5
    • None

      We've got an external report about a third party plugin:

      From: Vincent Ollivier <vincentollivier@hpjsolutions.com>
      Date: 29 July 2014 13:12
      Subject: JIRA 6.2.5 / JEditor XSS Vulnerability
      To: security@atlassian.com

      Hi,

      Sorry for the email, I couldn't find the correct project to report this security issue.
      There's an XSS in JEditor comments and details textareas (https://marketplace.atlassian.com/plugins/com.jiraeditor.jeditor#support).

      1) Add the following comment, in "source mode" : <iframe/src=javascript:alert(document.cookie)>
      2) Delete the comment
      3) Open the "all" tab under the activities panel.

      You should get an alert box with a cookie displayed in it.

      You can contact me if you need more informations.

      Sincerely,
      Vincent OLLIVIER

      I replied that the plugin needs to be fixed.

      We need to do something with the output to "all" activities panel (and probably others?) to defend against sloppily coded third party plugins. Force encode? Strip script tags before outputting them?

      Opinions welcome.

              Unassigned Unassigned
              vosipov VitalyA
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: