Uploaded image for project: 'Jira Cloud'
  1. Jira Cloud
  2. JSWCLOUD-8990

UpdatePField Reflected XSS

XMLWordPrintable

      The UpdatePField action is vulnerable to reflected XSS when passing an unsanitized fieldId parameter to the Issue-confirmation.vm velocity template.

      This issue can be tested with a specially crafted link, such as:

      http://10.211.55.9/secure/UpdatePField.jspa?fieldId=');%3C/script%3E%3Cscript%3Ealert('XSS&fieldValue=1&key=SSP-6&id=11519&stepId=-1&decorator=none&selectedProjectId=10202&pageType=PlanningBoard&subType=VersionBoard&type=VB&selectedBoardId=-1&colPage=1

      File: greenhopper\src\main\Resources\Atlassian-plugin.xml

      <action name="com.pyxis.greenhopper.jira.actions.CardBoardAction" alias="CardBoardAction">
... 
  <command name="updateField" alias="UpdatePField">
    <view name="success">/templates/greenhopper/jira/issue/actions/issue-confirmation.vm</view>
    <view name="error">/templates/greenhopper/jira/issue/actions/issue-confirmation.vm</view>
  </command>
</action>

      File:greenhopper\src\main\resources\templates\greenhopper\jira\issue\Actions\Issue-confirmation.vm

      Issue-confirmation.vm
      #disable_html_escaping()
#if(!$action.errors.isEmpty())
  <span class="gh-error">#foreach($error in $action.errors)$action.getText($error)<br>#end</span>
  <script type="text/javascript">
  #if($action.fieldId)Boards.ffocus('${action.fieldId}In');#end
    GH.Util.hideAll(['opt_wait', 'popup_wait', 'search_wait']);
  </script>
  #else
  ##POSSIBLEXSS
  <script type="text/javascript">
    Boards.needsRefresh = Boards.inSearchMode;
    #if($action.searchBoard)
      #if($action.refresh && $action.selectedBoard.statsPanelSupported) Boards.refreshSearchStats('$action.selectedBoard.searchKey', '${action.escapeJavaScript($action.searchType)}');#end
        #if($action.key) getIssue('$action.selectedBoard.id','$action.issueObject.key').refresh();#end
          Boards.returnToSearch();
        #elseif(!$action.planningBoard && $action.refresh)
          #if($action.id)Boards.getBoardForIssue('$action.issueObject.key',
'${action.escapeJavaScript($action.redirectType)}');
          #else Boards.refreshAll();#end
        #else
          #if($action.simpleUpdate)
            getIssue('$action.selectedBoard.id','$action.key').refresh();
            #if($action.refresh)
              Boards.refreshColumn();
              Boards.mainBoard.refreshMarkers();
            #end
            #else
            #if($action.id)
            
Boards.getBoard('$action.selectedBoard.id').refreshMainBoard(Boards.mainBoard.getStart(), ['$action.key']);
              Boards.refreshColumn();
            #else 
              #if($action.refresh)
                Boards.refreshAll();
              #else
                Boards.getBoard('$action.selectedBoard.id').refreshMainBoard();
                Boards.refreshColumn();
              #end
            #end
          #end
          Boards.closePopup();
        #end
      </script>
    #end

        1. UpdatePFieldXSS_browser.PNG
          37 kB

            [JSWCLOUD-8990] UpdatePField Reflected XSS

            Monique Khairuliana (Inactive) made changes -
            Workflow Original: JSWCLOUD Bug Workflow [ 3191174 ] New: JAC Bug Workflow v3 [ 3473519 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: JIRA Bug Workflow w Kanban v6 - Restricted [ 1887810 ] New: JSWCLOUD Bug Workflow [ 3191174 ]
            vkharisma made changes -
            Project Import New: Sun Apr 02 01:01:23 UTC 2017 [ 1491094883663 ]
            Owen made changes -
            Workflow Original: JIRA Bug Workflow w Kanban v6 [ 909004 ] New: JIRA Bug Workflow w Kanban v6 - Restricted [ 1551852 ]
            Security Metrics Bot made changes -
            Labels Original: fixme security security_codereview New: cvss-high fixme security security_codereview
            Oswaldo Hernandez (Inactive) made changes -
            Workflow Original: GreenHopper Kanban Workflow 20141014 [ 747024 ] New: JIRA Bug Workflow w Kanban v6 [ 909004 ]
            David Black made changes -
            Remote Link Original: This issue links to "Page (Extranet)" [ 53554 ] New: This issue links to "Page (Extranet)" [ 53554 ]
            Craig Davies (Inactive) made changes -
            Remote Link Original: This issue links to "Page (Extranet)" [ 53554 ] New: This issue links to "Page (Extranet)" [ 53554 ]
            Ashley Blackmore made changes -
            Remote Link Original: This issue links to "Page (Extranet)" [ 53554 ] New: This issue links to "Page (Extranet)" [ 53554 ]
            Ashley Blackmore made changes -
            Remote Link Original: This issue links to "Page (Extranet)" [ 53554 ] New: This issue links to "Page (Extranet)" [ 53554 ]

              Unassigned Unassigned
              cee3f48a9671 Daniel
              Affected customers:
              0 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: