ChartBoardAction.doSetCurveColor Persistent XSS

XMLWordPrintable

      The ChartBoardAction.doSetCurveColor method is vulnerable to persistent XSS when saving an unsanitized color parameter in user preferences. The set method isn’t protected from XSRF, allowing exploitation from remote attackers.

      File: greenhopper\src\main\java\com\pyxis\greenhopper\jira\Actions\ChartBoardAction.java

      ChartBoardAction.java
      package com.pyxis.greenhopper.jira.actions;
import java.io.IOException;
import java.util.Set;
...
@SuppressWarnings("serial")
public class ChartBoardAction extends VersionBoardAction
{
...
    protected String color;
...    
    public String doSetCurveColor()
    {
      Set<CurveSettings> settings = getChartContext().getSettings();
      for(CurveSettings curveSetting : settings)
      {
        if(curveSetting.getId().equals(curveId))
        {
          curveSetting.setColor(color);
          break;
        }
      }
      getPreferences().setSettings(getChartContext().getSettingsId(), settings);
      getPreferences().save();
      return SUCCESS;
    }
...
    public void setColor(String color)
    {
      this.color = color;
    }

        1. CurveColor XSS.PNG
          CurveColor XSS.PNG
          66 kB

            Assignee:
            Unassigned
            Reporter:
            Daniel
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: