-
Bug
-
Resolution: Won't Fix
-
Medium (View bug fix roadmap)
-
None
-
6.2.5
-
None
-
6.02
-
6.5
-
We've got an external report about a third party plugin:
From: Vincent Ollivier <vincentollivier@hpjsolutions.com>
Date: 29 July 2014 13:12
Subject: JIRA 6.2.5 / JEditor XSS Vulnerability
To: security@atlassian.comHi,
Sorry for the email, I couldn't find the correct project to report this security issue.
There's an XSS in JEditor comments and details textareas (https://marketplace.atlassian.com/plugins/com.jiraeditor.jeditor#support).1) Add the following comment, in "source mode" : <iframe/src=javascript:alert(document.cookie)>
2) Delete the comment
3) Open the "all" tab under the activities panel.You should get an alert box with a cookie displayed in it.
You can contact me if you need more informations.
Sincerely,
Vincent OLLIVIER
I replied that the plugin needs to be fixed.
We need to do something with the output to "all" activities panel (and probably others?) to defend against sloppily coded third party plugins. Force encode? Strip script tags before outputting them?
Opinions welcome.
vosipov, I don't think there's anything we can actually do in product to avoid this I reckon, plugin devs are responsible for escaping the output of the html they render, we can just give them the tools to do so
Regards,
Oswaldo Hernández.
JIRA Bugmaster.
[Atlassian].