-
Bug
-
Resolution: Fixed
-
Highest
-
None
The UpdatingStatus action is vulnerable to stored XSS when outputting an unsanitized name parameter. Exploitation of this issue first requires creating a status containing HTML markup.
File: greenhopper\src\main\resources\templates\greenhopper\jira\boards\taskboard\Actions\Task-options.vm
...
#foreach($tAction in $transitionBoard.availableActions)
<li>
<label>
<input type="radio" name="ghtransition" data-name="tx" value="${tAction.id}"#if($transitionBoard.availableActions.size() == 1 && $transitionBoard.innerActions.isEmpty())CHECKED#end>$tAction.name
</label>
</li>
...
[JSWCLOUD-8991] UpdatingStatus Persistent XSS
Additional repro:
Once an issue is assigned to the status with <script>alert(something)</alert>, on classic task board, hover over the issue and click the cog - alert pops up.
Steps to reproduce:
1. In Rapid Board, create or find a project using the GH simplified workflow.
2. In Board Configuration, go to Columns and add a status for something like <script>alert('hi')</script>
3. Go to Classic mode for the project
4. Pick an issue and create some subtasks
5. On the task board, for the parent issue, at the far right is a link "open" - click it and get the XSS alert
CVSS score: 6 => High severity
Exploitability Metrics
| AccessVector | Network |
|---|---|
| AccessComplexity | Medium |
| Authentication | Single Instance |
Impact Metrics
| ConfImpact | Partial |
|---|---|
| IntegImpact | Partial |
| AvailImpact | Partial |
See https://extranet.atlassian.com/display/SECCOUNCIL/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.
Added htmlEncode in two places where the status is displayed