[JRASERVER-67106] XSS in the agile wallboard gadget through quick filter names - CVE-2017-18100 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Medium (View bug fix roadmap)
Fix Version/s: 7.8.1, 7.9.0, 7.6.7
Affects Version/s: 7.4.4
Component/s: Dashboard & Gadgets
Labels:

Fixed in Long Term Support Release/s:

Download 7.6
Introduced in Version:
7.04
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of quick filters.

Workaround

Disable the gadget.

Navigate to Administration > Add-ons > Manage add-ons and set the filter to show Application Components.
Scroll down the list of plugins and expand JIRA Agile.
Click the "+" symbol next to the count of modules in this plugin to expand the list.
Scroll down until you find the Agile board gadget and set it to disabled.

Sharon Ben-Ami (PALANTIR) added a comment - 27/May/2018 12:21 PM

Hi David,

Wonder what exactly do you mean about quick filter names?

Sharon Ben-Ami (PALANTIR) added a comment - 27/May/2018 12:21 PM Hi David, Wonder what exactly do you mean about quick filter names?

David Black added a comment - 10/Apr/2018 3:25 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 4.7 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	High
Privileges Required	None
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	None

See http://go.atlassian.com/cvss for more details.

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

David Black added a comment - 10/Apr/2018 3:25 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.7 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required None User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None See http://go.atlassian.com/cvss for more details. https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 5 Start watching this issue

Created:: 10/Apr/2018 3:18 AM

Updated:: 22/May/2020 8:22 AM

Resolved:: 10/Apr/2018 3:19 AM

Details

Description

Workaround

Attachments

Forms

Activity

[JRASERVER-67106] XSS in the agile wallboard gadget through quick filter names - CVE-2017-18100

Collapse comment: Sharon Ben-Ami (PALANTIR) added a comment - 27/May/2018 12:21 PM

Expand comment: Sharon Ben-Ami (PALANTIR) added a comment - 27/May/2018 12:21 PM

Collapse comment: David Black added a comment - 10/Apr/2018 3:25 AM

Expand comment: David Black added a comment - 10/Apr/2018 3:25 AM

People

Dates