• Type: Bug
• Resolution: Fixed
• Priority: Low (View bug fix roadmap)
• Fix Version/s: 7.2.2
• Affects Version/s: 6.0, 6.3, 6.4, 7.1.0, 7.1.7, Archived Jira Cloud, 7.0.0
• Component/s: Navigation Panel
• Labels:

  • CVE-2016-6285
  • advisory
  • advisory-released
  • affects-cloud
  • affects-server
  • cvss-medium
  • jira-ninjas-explore
  • security
  • xss

1. 

   Selection_109.png

   14 kB

   15/Jul/2016 3:24 AM

2. 

   Selection_110.png

   32 kB

   15/Jul/2016 3:24 AM

[JRASERVER-61888] XSS in /includes/decorators/global-translations.jsp

Bugfix Automation Bot made changes - 28/Mar/2019 12:21 AM

Minimum Version

New: 6

Owen made changes - 16/Oct/2018 1:00 AM

Workflow	Original: JAC Bug Workflow v2 [ 2847092 ]	New: JAC Bug Workflow v3 [ 2930876 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 25/Sep/2018 4:37 AM

Symptom Severity

Original: Minor [ 14432 ]

New: Severity 3 - Minor [ 15832 ]

Owen made changes - 25/Sep/2018 12:41 AM

Workflow

Original: JIRA Bug Workflow w Kanban v7 - Restricted [ 2587921 ]

New: JAC Bug Workflow v2 [ 2847092 ]

Ignat (Inactive) made changes - 01/Feb/2018 2:33 PM

Workflow

Original: JIRA Bug Workflow w Kanban v6 - Restricted [ 1580860 ]

New: JIRA Bug Workflow w Kanban v7 - Restricted [ 2587921 ]

Ignat (Inactive) made changes - 08/Dec/2017 12:01 PM

Affects Version/s		New:  Archived Cloud Version [ 77301 ]
Affects Version/s	Original: 1000.174.0 Cloud [ 62594 ]

jonah (Inactive) made changes - 02/Apr/2017 11:24 AM

Description

Original: Somewhat hard to exploit but still doable when it comes to cache poisoning. Steps to reproduce: * Tamper with a GET request to {{http://&lt;JIRA instance>/includes/decorators/global-translations.jsp}} with the {{Host}} header set to some XSS payload (e.g. {code}<script>alert(/xss/)</script>{code} * The offending lines in code pick this payload and browser renders it (observe an alert with text "xss") Offending code in {{/src/main/webapp/includes/decorators/global-translations.jsp#18}}: {code:java} 17 <input type="hidden" title="ajaxUnauthorised" value="<ww:text name="'common.forms.ajax.unauthorised.alert'"/>"> 18 <input type="hidden" title="baseURL" value="<%=request.getScheme() + "://" +request.getServerName() + ':' + request.getServerPort() + request.getContextPath()%>"> 19 <input type="hidden" title="ajaxCommsError" value="<ww:text name="'common.forms.ajax.commserror'"/>"> {code}

New: {panel:bgColor=#e7f4fa}   *NOTE:* This bug report is for *JIRA Server*. Using *JIRA Cloud*? [See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-61888].   {panel} Somewhat hard to exploit but still doable when it comes to cache poisoning. Steps to reproduce: * Tamper with a GET request to {{http://&lt;JIRA instance>/includes/decorators/global-translations.jsp}} with the {{Host}} header set to some XSS payload (e.g. {code}<script>alert(/xss/)</script>{code} * The offending lines in code pick this payload and browser renders it (observe an alert with text "xss") Offending code in {{/src/main/webapp/includes/decorators/global-translations.jsp#18}}: {code:java} 17 <input type="hidden" title="ajaxUnauthorised" value="<ww:text name="'common.forms.ajax.unauthorised.alert'"/>"> 18 <input type="hidden" title="baseURL" value="<%=request.getScheme() + "://" +request.getServerName() + ':' + request.getServerPort() + request.getContextPath()%>"> 19 <input type="hidden" title="ajaxCommsError" value="<ww:text name="'common.forms.ajax.commserror'"/>"> {code}

jonah (Inactive) made changes - 02/Apr/2017 11:24 AM

Link

New: This issue relates to JRACLOUD-61888 [ JRACLOUD-61888 ]

David Black made changes - 17/Jan/2017 10:51 PM

Link

New: This issue relates to JRA-22946 [ JRA-22946 ]

David Black made changes - 17/Jan/2017 10:51 PM

Affects Version/s

New: 6.0 [ 29793 ]

Load more older events