High The jira-gadgets-plugin LabelsResource class exposes a getLabelGroups rest resource that is vulnerable to reflected xss through the user supplied 'project' path parameter. The vulnerability is caused by building an error response message with a content type of text/html and not html encoding the 'project' parameter when the 'project' parameter cannot be parsed as a long.
An example url demonstrating this flaw looks like:
http://$JIRA/jira/rest/gadget/1.0/labels/gadget/%22'%3Cvideo%20onerror=alert(3)%20src=xxxx%3Ealert(3);%3C/script%3E/groups
@GET
@Path ("gadget/{project}/{fieldId}/groups")
@Produces (MediaType.TEXT_HTML)
public Response getLabelGroups(@PathParam ("project") String project, @PathParam ("fieldId") String fieldId)
{
long projectId;
try
{
projectId = Long.parseLong(StringUtils.substring(project, "project-".length()));
}
catch (NumberFormatException e)
{
log.error("Error parsing project id from '" + project + "'");
return Response.status(Response.Status.BAD_REQUEST).entity("Error parsing project id from '" + project + "'").cacheControl(NO_CACHE).build();
}
return Response.ok(alphabeticalLabelRenderer.getHtml(authenticationContext.getLoggedInUser(), projectId, fieldId, true)).cacheControl(NO_CACHE).build();
}