Details
-
Bug
-
Resolution: Fixed
-
High
-
None
-
None
-
6.8
-
Description
NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.
(filed by vosipov on behalf of a customer) See the original issue. According to my testing a custom field of type "datepicker" accepts any text, including script and will reflect it back unfiltered in case of an error on the page (e.g. not all fields filled in).
Tested on the latest OnDemand instance. Sample code after injection into customfield_10102
<div class="field-group aui-field-datepicker" > <label for="customfield_10102">datepicker</label> <input class="text medium-field datepicker-input" id="customfield_10102" name="customfield_10102" type="text" value=">"> <script>alert(xss)</script> <"" /> <a href="#" id="customfield_10102-trigger" title="Select a date"> <span class="aui-icon icon-date">Select a date</span> </a>
Attachments
Issue Links
- is cloned from
-
JRASERVER-30039 Reflected XSS in Create Issue Details page
- Closed
- relates to
-
JRACLOUD-31709 Reflected XSS in Create Issue Details page
- Closed