Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 6.0-OD-11/Beta1
Affects Version/s: None
Component/s: None
Labels:
- cvss-high
- security
- xss

CVSS Score:
6.8
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

(filed by vosipov on behalf of a customer) See the original issue. According to my testing a custom field of type "datepicker" accepts any text, including script and will reflect it back unfiltered in case of an error on the page (e.g. not all fields filled in).

Tested on the latest OnDemand instance. Sample code after injection into customfield_10102

 <div class="field-group aui-field-datepicker" >
                  <label for="customfield_10102">datepicker</label>
                  <input class="text medium-field datepicker-input" id="customfield_10102" name="customfield_10102" type="text" value=">">
                  <script>alert(xss)</script>
                  <"" />
                  <a href="#" id="customfield_10102-trigger" title="Select a date">
                    <span class="aui-icon icon-date">Select a date</span>
                  </a>

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

Screen Shot 2013-02-15 at 5.07.05 PM.png
343 kB
15/Feb/2013 6:07 AM

Issue Links

is cloned from

JRASERVER-30039 Reflected XSS in Create Issue Details page

Closed

relates to

JRACLOUD-31709 Reflected XSS in Create Issue Details page

Closed

Activity

People

Assignee:: Eric Dalgliesh

Reporter:: Xsite GmbH

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 15/Feb/2013 6:01 AM

Updated:: 16/Oct/2018 12:55 AM

Resolved:: 23/Apr/2013 3:50 AM