[JRASERVER-67106] XSS in the agile wallboard gadget through quick filter names - CVE-2017-18100 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Medium (View bug fix roadmap)
Fix Version/s: 7.8.1, 7.9.0, 7.6.7
Affects Version/s: 7.4.4
Component/s: Dashboard & Gadgets
Labels:

Fixed in Long Term Support Release/s:

Download 7.6
Introduced in Version:
7.04
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of quick filters.

Workaround

Disable the gadget.

Navigate to Administration > Add-ons > Manage add-ons and set the filter to show Application Components.
Scroll down the list of plugins and expand JIRA Agile.
Click the "+" symbol next to the count of modules in this plugin to expand the list.
Scroll down until you find the Agile board gadget and set it to disabled.

set-jac-bot made changes - 22/May/2020 8:22 AM

Fixed in Enterprise Release/s

New: [Download 7.6|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]

Bugfix Automation Bot made changes - 28/Mar/2019 12:24 AM

Minimum Version

New: 7.04

Owen made changes - 16/Oct/2018 1:00 AM

Workflow	Original: JAC Bug Workflow v2 [ 2829126 ]	New: JAC Bug Workflow v3 [ 2930052 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 25/Sep/2018 4:18 AM

Symptom Severity

Original: Major [ 14431 ]

New: Severity 2 - Major [ 15831 ]

Owen made changes - 25/Sep/2018 12:25 AM

Workflow

Original: JIRA Bug Workflow w Kanban v7 - Restricted [ 2655144 ]

New: JAC Bug Workflow v2 [ 2829126 ]

Ignat (Inactive) made changes - 28/Jun/2018 8:03 AM

Status

Original: Closed [ 6 ]

New: Resolved [ 5 ]

Ignat (Inactive) made changes - 28/Jun/2018 8:02 AM

Fix Version/s

New: 7.6.7 [ 79717 ]

David Di Blasio made changes - 15/Jun/2018 7:32 AM

Description

Original: The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of quick filters.

New: The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of quick filters.

h3. Workaround
Disable the gadget.
- Navigate to *Administration > Add-ons > Manage add-ons* and set the filter to show *Application Components*.
- Scroll down the list of plugins and expand *JIRA Agile*.
- Click the "+" symbol next to the count of modules in this plugin to expand the list.
- Scroll down until you find the *Agile board gadget* and set it to disabled.

Adrian Stephen made changes - 15/Jun/2018 6:51 AM

Assignee

Original: Adrian Stephen [ astephen@atlassian.com ]

Adrian Stephen made changes - 15/Jun/2018 6:51 AM

Assignee

New: Adrian Stephen [ astephen@atlassian.com ]

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 5 Start watching this issue

Created:: 10/Apr/2018 3:18 AM

Updated:: 22/May/2020 8:22 AM

Resolved:: 10/Apr/2018 3:19 AM

Details

Description

Workaround

Attachments

Forms

Activity

[JRASERVER-67106] XSS in the agile wallboard gadget through quick filter names - CVE-2017-18100

People

Dates