Content Spoofing in the /issues/?filter

XMLWordPrintable

    • 5

      NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

      A third party scan found that the Issue Navigator action is vulnerable to content spoofing, in specific text injection. In this case the content spoofing may be used to perform a phishing attack on users.
      How to reproduce:
      1. go to https://jira.atlassian.com/issues/?filter=whscheck%22%20was%20not%20found%20on%20this%20server.%20WARNING:%20Your%20account%20has%20been%20suspended.%20Contact%20WhiteHat%20immediately%20at%20%22000-000-0000.

      2. observe that the filter parameter value is found html encoded below in the error message.

            Assignee:
            Oswaldo Hernandez (Inactive)
            Reporter:
            Ricksoft Co., Ltd.
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: