Uploaded image for project: 'Jira Software Data Center'
  1. Jira Software Data Center
  2. JSWSERVER-8990

UpdatePField Reflected XSS

XMLWordPrintable

      The UpdatePField action is vulnerable to reflected XSS when passing an unsanitized fieldId parameter to the Issue-confirmation.vm velocity template.

      This issue can be tested with a specially crafted link, such as:

      http://10.211.55.9/secure/UpdatePField.jspa?fieldId=');%3C/script%3E%3Cscript%3Ealert('XSS&fieldValue=1&key=SSP-6&id=11519&stepId=-1&decorator=none&selectedProjectId=10202&pageType=PlanningBoard&subType=VersionBoard&type=VB&selectedBoardId=-1&colPage=1

      File: greenhopper\src\main\Resources\Atlassian-plugin.xml

      <action name="com.pyxis.greenhopper.jira.actions.CardBoardAction" alias="CardBoardAction">
... 
  <command name="updateField" alias="UpdatePField">
    <view name="success">/templates/greenhopper/jira/issue/actions/issue-confirmation.vm</view>
    <view name="error">/templates/greenhopper/jira/issue/actions/issue-confirmation.vm</view>
  </command>
</action>

      File:greenhopper\src\main\resources\templates\greenhopper\jira\issue\Actions\Issue-confirmation.vm

      Issue-confirmation.vm
      #disable_html_escaping()
#if(!$action.errors.isEmpty())
  <span class="gh-error">#foreach($error in $action.errors)$action.getText($error)<br>#end</span>
  <script type="text/javascript">
  #if($action.fieldId)Boards.ffocus('${action.fieldId}In');#end
    GH.Util.hideAll(['opt_wait', 'popup_wait', 'search_wait']);
  </script>
  #else
  ##POSSIBLEXSS
  <script type="text/javascript">
    Boards.needsRefresh = Boards.inSearchMode;
    #if($action.searchBoard)
      #if($action.refresh && $action.selectedBoard.statsPanelSupported) Boards.refreshSearchStats('$action.selectedBoard.searchKey', '${action.escapeJavaScript($action.searchType)}');#end
        #if($action.key) getIssue('$action.selectedBoard.id','$action.issueObject.key').refresh();#end
          Boards.returnToSearch();
        #elseif(!$action.planningBoard && $action.refresh)
          #if($action.id)Boards.getBoardForIssue('$action.issueObject.key',
'${action.escapeJavaScript($action.redirectType)}');
          #else Boards.refreshAll();#end
        #else
          #if($action.simpleUpdate)
            getIssue('$action.selectedBoard.id','$action.key').refresh();
            #if($action.refresh)
              Boards.refreshColumn();
              Boards.mainBoard.refreshMarkers();
            #end
            #else
            #if($action.id)
            
Boards.getBoard('$action.selectedBoard.id').refreshMainBoard(Boards.mainBoard.getStart(), ['$action.key']);
              Boards.refreshColumn();
            #else 
              #if($action.refresh)
                Boards.refreshAll();
              #else
                Boards.getBoard('$action.selectedBoard.id').refreshMainBoard();
                Boards.refreshColumn();
              #end
            #end
          #end
          Boards.closePopup();
        #end
      </script>
    #end

        1. UpdatePFieldXSS_browser.PNG
          UpdatePFieldXSS_browser.PNG
          37 kB

            [JSWSERVER-8990] UpdatePField Reflected XSS

            JoanneA (Inactive) added a comment -

            On branch GHS-8991-xss

            JoanneA (Inactive) added a comment - On branch GHS-8991 -xss

            JoanneA (Inactive) added a comment -

            This particular resource is used when updating the priority (i.e. Blocker, Critical etc). Added encodeJavaScript to the parameter and checked the link and the priority update still works.

            JoanneA (Inactive) added a comment - This particular resource is used when updating the priority (i.e. Blocker, Critical etc). Added encodeJavaScript to the parameter and checked the link and the priority update still works.

            David Black added a comment -

            CVSS score: 7.5 => High severity
             
            Exploitability Metrics

            AccessVector Network
            AccessComplexity Low
            Authentication None

             
            Impact Metrics

            ConfImpact Partial
            IntegImpact Partial
            AvailImpact Partial

            See https://extranet.atlassian.com/display/SECCOUNCIL/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.

            David Black added a comment - CVSS score: 7.5 => High severity   Exploitability Metrics AccessVector Network AccessComplexity Low Authentication None   Impact Metrics ConfImpact Partial IntegImpact Partial AvailImpact Partial See https://extranet.atlassian.com/display/SECCOUNCIL/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.

              Unassigned Unassigned
              cee3f48a9671 Daniel
              Affected customers:
              0 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: