-
Bug
-
Resolution: Fixed
-
Medium (View bug fix roadmap)
-
None
-
None
NOTE: This bug report is for JIRA Software Server. Using JIRA Software Cloud? See the corresponding bug report.
This is difficult to reproduce - needs tampering with the post data for the page.
On Classic Board, go to the search box. Tamper with the posted data and add the parameter redirectURL with something like:
redirectType=xxx"><img src=u onerror=alert(1)>
(Note: it doesn't work if you use <script></script> tags)
You need to have > 1 page of search results - more than 30 by default, or change the Issues Per Page in the Tools > User Preferences section.
The image is rendered within the page numbers.
- relates to
-
-
- Closed
-
-
-
- Closed
-
[JSWSERVER-6705] XSS in redirectType parameter on SearchBoard.jspa
CVSS score: 7.5 => High severity
Exploitability Metrics
| AccessVector | Network |
|---|---|
| AccessComplexity | Low |
| Authentication | None |
Impact Metrics
| ConfImpact | Partial |
|---|---|
| IntegImpact | Partial |
| AvailImpact | Partial |
See https://extranet.atlassian.com/display/SECCOUNCIL/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.
Checked in on branch GHS-5562-XSS-bug, please test with GHS-5562.
Changed from escapeJavaScript to htmlEncode - this ensures that all characters including ", <, > are encoded instead of just prefixed with \
QA-ed with Jo when she was developing the fix.