-
Bug
-
Resolution: Fixed
-
Highest
-
None
The ConfigurationAction.doSetCardColor method is vulnerable to persistent XSS when saving an unsanitized cardColor parameter. The vulnerability is triggered in several velocity templates during rendering:
- All-layouts.vm
- Card-layout.vm
- Issue-create.vm
- Issue-gadget-cardview.vm
- Issue-print.vm
- Issue.vm
- List-compact-layout.vm
- List-layout.vm
- Main.vm
- Ranking-page.vm
- Summary-layout.vm
- Task-options.vm
File: greenhopper\src\main\java\com\pyxis\greenhopper\jira\Actions\ConfigurationAction.java
ConfigurationAction.java
package com.pyxis.greenhopper.jira.actions; import java.util.ArrayList; import java.util.Arrays; ... @SuppressWarnings("serial") public abstract class ConfigurationAction extends BoardAction { ... private String cardColor; ... @RequiresXsrfCheck public String doSetCardColor() { if(getCanEditConfig()) { getConfiguration().setCardColor(typeId, cardColor); getConfiguration().save(); } return doSuccess(); } ... public void setCardColor(String cardColor) { this.cardColor = cardColor; }
