Uploaded image for project: 'Jira Cloud'
  1. Jira Cloud
  2. JRACLOUD-61888

XSS in /includes/decorators/global-translations.jsp


      NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report.

      Somewhat hard to exploit but still doable when it comes to cache poisoning. Steps to reproduce:

      • Tamper with a GET request to http://<JIRA instance>/includes/decorators/global-translations.jsp with the Host header set to some XSS payload (e.g.
      • The offending lines in code pick this payload and browser renders it (observe an alert with text "xss")

      Offending code in /src/main/webapp/includes/decorators/global-translations.jsp#18:

      17      <input type="hidden" title="ajaxUnauthorised" value="<ww:text name="'common.forms.ajax.unauthorised.alert'"/>">
      18      <input type="hidden" title="baseURL" value="<%=request.getScheme() + "://" +request.getServerName() + ':' + request.getServerPort() + request.getContextPath()%>">
      19      <input type="hidden" title="ajaxCommsError" value="<ww:text name="'common.forms.ajax.commserror'"/>">

        1. Selection_109.png
          14 kB
        2. Selection_110.png
          32 kB

            apawelczyk Artur Pawelczyk (Inactive)
            3fcb179f0169 Roberto dos Santos Soares
            0 Vote for this issue
            4 Start watching this issue