-
Bug
-
Resolution: Fixed
-
Highest
-
None
The ChartBoardAction.doSetCurveColor method is vulnerable to persistent XSS when saving an unsanitized color parameter in user preferences. The set method isn’t protected from XSRF, allowing exploitation from remote attackers.
File: greenhopper\src\main\java\com\pyxis\greenhopper\jira\Actions\ChartBoardAction.java
ChartBoardAction.java
package com.pyxis.greenhopper.jira.actions; import java.io.IOException; import java.util.Set; ... @SuppressWarnings("serial") public class ChartBoardAction extends VersionBoardAction { ... protected String color; ... public String doSetCurveColor() { Set<CurveSettings> settings = getChartContext().getSettings(); for(CurveSettings curveSetting : settings) { if(curveSetting.getId().equals(curveId)) { curveSetting.setColor(color); break; } } getPreferences().setSettings(getChartContext().getSettingsId(), settings); getPreferences().save(); return SUCCESS; } ... public void setColor(String color) { this.color = color; }
