Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 7.2.2
Affects Version/s: 6.0, 6.3, 6.4, 7.1.0, 7.1.7, Archived Jira Cloud, 7.0.0
Component/s: Navigation Panel
Labels:

Introduced in Version:
6
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

Somewhat hard to exploit but still doable when it comes to cache poisoning. Steps to reproduce:

Tamper with a GET request to http://<JIRA instance>/includes/decorators/global-translations.jsp with the Host header set to some XSS payload (e.g.
```
<script>alert(/xss/)</script>
```
The offending lines in code pick this payload and browser renders it (observe an alert with text "xss")

Offending code in /src/main/webapp/includes/decorators/global-translations.jsp#18:

17      <input type="hidden" title="ajaxUnauthorised" value="<ww:text name="'common.forms.ajax.unauthorised.alert'"/>">
18      <input type="hidden" title="baseURL" value="<%=request.getScheme() + "://" +request.getServerName() + ':' + request.getServerPort() + request.getContextPath()%>">
19      <input type="hidden" title="ajaxCommsError" value="<ww:text name="'common.forms.ajax.commserror'"/>">

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

Selection_109.png
14 kB
15/Jul/2016 3:24 AM
Selection_110.png
32 kB
15/Jul/2016 3:24 AM

relates to

JRACLOUD-61888 XSS in /includes/decorators/global-translations.jsp

Closed

is cloned by: JSB-86 Loading...

was cloned as: JDEV-37331 Loading...

Assignee:: Artur Pawelczyk (Inactive)

Reporter:: Roberto dos Santos Soares

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Due:: 18/Oct/2016

Created:: 15/Jul/2016 2:23 AM

Updated:: 28/Mar/2019 12:21 AM

Resolved:: 27/Sep/2016 9:34 AM

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

People

Dates