Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-28072

CSRF in the "configure custom field" Multi Checkboxes add new custom field option screen

    XMLWordPrintable

Details

    Description

      The administration screen which facilitates the addition of new custom field options is vulnerable to csrf, as it does not check that the atl_token submitted is in fact legitimate for the user submitting it (you can put in any value for the token field).

      To access this screen you can go to a url similar to the following ( it is linked off the issue custom fields administration page (/secure/admin/ViewCustomFields.jspa) ):

      http://$host/secure/admin/EditCustomFieldOptions!default.jspa?fieldConfigSchemeId=10300&fieldConfigId=10300&customFieldId=10200&returnUrl=ConfigureCustomField!default.jspa%3FcustomFieldId%3D10200

      Attachments

        Issue Links

          Activity

            People

              edalgliesh Eric Dalgliesh (public name)
              dblack David Black
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: