[JRASERVER-61888] XSS in /includes/decorators/global-translations.jsp

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 7.2.2
Affects Version/s: 6.0, 6.3, 6.4, 7.1.0, 7.1.7, Archived Jira Cloud, 7.0.0
Component/s: Navigation Panel
Labels:

Introduced in Version:
6
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

Somewhat hard to exploit but still doable when it comes to cache poisoning. Steps to reproduce:

Tamper with a GET request to http://<JIRA instance>/includes/decorators/global-translations.jsp with the Host header set to some XSS payload (e.g.
```
<script>alert(/xss/)</script>
```
The offending lines in code pick this payload and browser renders it (observe an alert with text "xss")

Offending code in /src/main/webapp/includes/decorators/global-translations.jsp#18:

17      <input type="hidden" title="ajaxUnauthorised" value="<ww:text name="'common.forms.ajax.unauthorised.alert'"/>">
18      <input type="hidden" title="baseURL" value="<%=request.getScheme() + "://" +request.getServerName() + ':' + request.getServerPort() + request.getContextPath()%>">
19      <input type="hidden" title="ajaxCommsError" value="<ww:text name="'common.forms.ajax.commserror'"/>">

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

Selection_109.png
14 kB
15/Jul/2016 3:24 AM
Selection_110.png
32 kB
15/Jul/2016 3:24 AM

relates to

JRACLOUD-61888 XSS in /includes/decorators/global-translations.jsp

Closed

is cloned by: JSB-86 You do not have permission to view this issue

was cloned as: JDEV-37331 Failed to load

David Black added a comment - 23/Aug/2016 5:31 AM - edited

CVSS v3 score: 4.7 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	High
Privileges Required	None
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	None

See http://go.atlassian.com/cvss for more details.

David Black added a comment - 23/Aug/2016 5:31 AM - edited CVSS v3 score: 4.7 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required None User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None See http://go.atlassian.com/cvss for more details.

Roberto dos Santos Soares added a comment - 04/Aug/2016 7:04 PM

Hi guys!

Any update on this vulnerability?

Best regards,

Roberto dos Santos Soares added a comment - 04/Aug/2016 7:04 PM Hi guys! Any update on this vulnerability? Best regards,

Assignee:: Artur Pawelczyk (Inactive)

Reporter:: Roberto dos Santos Soares

Affected customers:: 0 This affects my team

Watchers:: 4 Start watching this issue

Created:: 15/Jul/2016 2:23 AM

Updated:: 28/Mar/2019 12:21 AM

Resolved:: 27/Sep/2016 9:34 AM

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

Collapse comment: David Black added a comment - 23/Aug/2016 5:31 AM, Edited by David Black - 17/Jan/2017 10:42 PM

Expand comment: David Black added a comment - 23/Aug/2016 5:31 AM, Edited by David Black - 17/Jan/2017 10:42 PM

Collapse comment: Roberto dos Santos Soares added a comment - 04/Aug/2016 7:04 PM

Expand comment: Roberto dos Santos Soares added a comment - 04/Aug/2016 7:04 PM

People

Dates