-
Bug
-
Resolution: Fixed
-
Highest
-
None
The UpdatePField action is vulnerable to reflected XSS when passing an unsanitized fieldId parameter to the Issue-confirmation.vm velocity template.
This issue can be tested with a specially crafted link, such as:
File: greenhopper\src\main\Resources\Atlassian-plugin.xml
<action name="com.pyxis.greenhopper.jira.actions.CardBoardAction" alias="CardBoardAction"> ... <command name="updateField" alias="UpdatePField"> <view name="success">/templates/greenhopper/jira/issue/actions/issue-confirmation.vm</view> <view name="error">/templates/greenhopper/jira/issue/actions/issue-confirmation.vm</view> </command> </action>
File:greenhopper\src\main\resources\templates\greenhopper\jira\issue\Actions\Issue-confirmation.vm
#disable_html_escaping() #if(!$action.errors.isEmpty()) <span class="gh-error">#foreach($error in $action.errors)$action.getText($error)<br>#end</span> <script type="text/javascript"> #if($action.fieldId)Boards.ffocus('${action.fieldId}In');#end GH.Util.hideAll(['opt_wait', 'popup_wait', 'search_wait']); </script> #else ##POSSIBLEXSS <script type="text/javascript"> Boards.needsRefresh = Boards.inSearchMode; #if($action.searchBoard) #if($action.refresh && $action.selectedBoard.statsPanelSupported) Boards.refreshSearchStats('$action.selectedBoard.searchKey', '${action.escapeJavaScript($action.searchType)}');#end #if($action.key) getIssue('$action.selectedBoard.id','$action.issueObject.key').refresh();#end Boards.returnToSearch(); #elseif(!$action.planningBoard && $action.refresh) #if($action.id)Boards.getBoardForIssue('$action.issueObject.key', '${action.escapeJavaScript($action.redirectType)}'); #else Boards.refreshAll();#end #else #if($action.simpleUpdate) getIssue('$action.selectedBoard.id','$action.key').refresh(); #if($action.refresh) Boards.refreshColumn(); Boards.mainBoard.refreshMarkers(); #end #else #if($action.id) Boards.getBoard('$action.selectedBoard.id').refreshMainBoard(Boards.mainBoard.getStart(), ['$action.key']); Boards.refreshColumn(); #else #if($action.refresh) Boards.refreshAll(); #else Boards.getBoard('$action.selectedBoard.id').refreshMainBoard(); Boards.refreshColumn(); #end #end #end Boards.closePopup(); #end </script> #end
[JSWCLOUD-8990] UpdatePField Reflected XSS
This particular resource is used when updating the priority (i.e. Blocker, Critical etc). Added encodeJavaScript to the parameter and checked the link and the priority update still works.
CVSS score: 7.5 => High severity
Exploitability Metrics
| AccessVector | Network |
|---|---|
| AccessComplexity | Low |
| Authentication | None |
Impact Metrics
| ConfImpact | Partial |
|---|---|
| IntegImpact | Partial |
| AvailImpact | Partial |
See https://extranet.atlassian.com/display/SECCOUNCIL/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.
On branch
GHS-8991-xss