Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-61888

XSS in /includes/decorators/global-translations.jsp

    XMLWordPrintable

    Details

      Description

      NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

      Somewhat hard to exploit but still doable when it comes to cache poisoning. Steps to reproduce:

      • Tamper with a GET request to http://<JIRA instance>/includes/decorators/global-translations.jsp with the Host header set to some XSS payload (e.g.
        <script>alert(/xss/)</script>
      • The offending lines in code pick this payload and browser renders it (observe an alert with text "xss")

      Offending code in /src/main/webapp/includes/decorators/global-translations.jsp#18:

      17      <input type="hidden" title="ajaxUnauthorised" value="<ww:text name="'common.forms.ajax.unauthorised.alert'"/>">
      18      <input type="hidden" title="baseURL" value="<%=request.getScheme() + "://" +request.getServerName() + ':' + request.getServerPort() + request.getContextPath()%>">
      19      <input type="hidden" title="ajaxCommsError" value="<ww:text name="'common.forms.ajax.commserror'"/>">
      

        Attachments

        1. Selection_109.png
          14 kB
          nma
        2. Selection_110.png
          32 kB
          nma

          Issue Links

            Activity

              People

              Assignee:
              apawelczyk Artur Pawelczyk
              Reporter:
              roberto.soares1696718354 Roberto dos Santos Soares
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: