Uploaded image for project: 'Xporter for Jira Cloud'
  1. Xporter for Jira Cloud
  2. XPORTERCLOUD-2241

AMS-25505 - Stored XSS via [template name] at [workflow]

    XporterXMLWordPrintable

Details

    • OK

    Description

      What is this ticket?

      This ticket tracks the corresponding Bugcrowd submission 906edd34-6c1f-418a-a5a9-69aa71445f7f. Please make a note of the triage and remediation due dates for this ticket.
      You are not expected to update the status of the ticket. We will automatically sync the status of the Bugcrowd submission for you :smiley: Please continue to accept, reject, and close submissions directly in the Bugcrowd portal.

      What can I do with this ticket?

      :one: Ensure that you are actioning on the submission within the Triage Due Date & Remediation Due Date. Learn more about our Bug Fix Policy here.
      :two: Request an SLA extension if you need more time. Learn more about SLA management here.
      :three: Engage with our Atlassian Security team by simply commenting on the ticket.
      :four: Use our partner dashboard to monitor all your SLA’s at one place and analyze trends.

      Ticket updates:

      If you are interested in receiving notifications on all ticket updates, please add yourself to the watchers list.

      Requesting a SLA extension:
      If you need to request an extension to fix the vulnerability, transition this ticket to the
      EXTENSION REQUESTED
      status.

      SLA violation notifications:
      You will be notified through email and this ticket as the SLA Due dates approach.

      If you would like to de-list/retire your marketplace app, please create a request here. After you have created the request, please comment with a link to the ticket. Lastly, transition this ticket to the
      ATLASSIAN INPUT REQUESTED
      status.

      Need any other help? Please comment on this ticket or you can create a ticket here.

      Bugcrowd Submission Info:

      1. Stored Cross-Site Scripting (Privileged User to Privilege Elevation)
        1. Business Impact

      After install [Xporter - Export issues from Jira](https://marketplace.atlassian.com/apps/891368/xporter-export-issues-from-jira?hosting=cloud&tab=overview) add-on users can create `global templates` and can add this template with `Xporter Multi-Action` in `WorkFlow post-function`. After test the `Xporter Multi-Action` I found that it can act as a vector for stored XSS attacks.

      ____________

        1. Steps to Reproduce

      1. Admin install [Xporter - Export issues from Jira](https://marketplace.atlassian.com/apps/891368/xporter-export-issues-from-jira?hosting=cloud&tab=overview) add-on
      1. Admin add new UserB.
      1. UserB navigate to {}Apps > mange Apps > under xporter go to Template > then create new template{} and in template name inject XSS payload.
      ![image-2023-09-29T15:27:54.303Z.png](https://bugcrowd.com/xpandit/submissions/906edd34-6c1f-418a-a5a9-69aa71445f7f/attachments/7f3770b0-902d-42c8-86fd-17c8a53027fd "image-2023-09-29T15:27:54.303Z.png")
      1. Now UserB Or Admin navigate to {}issues > workflow > edit any workflow > then enter to any `Transitions` > then to Post Functions > click in Add Post Functions > form list select `Xporter Multi-Action` > then at Template select Template content xss pyaload.{} and publish post function and workflow
      ![image-2023-09-29T15:45:32.531Z.png](https://bugcrowd.com/xpandit/submissions/906edd34-6c1f-418a-a5a9-69aa71445f7f/attachments/89608c83-76bf-46e1-9bca-56820f1bf82b "image-2023-09-29T15:45:32.531Z.png")
      1. Now if sys admin navigate to {}issues > workflow > Post Functions,{}, Observe the JavaScript payload being executed

      ![image-2023-09-29T14:34:04.415Z.png](https://bugcrowd.com/xpandit/submissions/906edd34-6c1f-418a-a5a9-69aa71445f7f/attachments/285c8e96-75b8-49e7-ad60-1793a95c6687 "image-2023-09-29T14:34:04.415Z.png")

      ____________

        1. Proof of Concept (PoC)

      [poc](https://bugcrowd.com/xpandit/submissions/906edd34-6c1f-418a-a5a9-69aa71445f7f/attachments/47581f71-eab3-468a-8cb8-115f9e33e21a)

       

      Attachments

        1. AMS-25505.doc
          90 kB
        2. image (2).png
          image (2).png
          49 kB
        3. image (3).png
          image (3).png
          113 kB
        4. image (1).png
          image (1).png
          169 kB
        5. 2023-09-29_2018-39-41.mp4
          51.55 MB

        Issue Links

          Activity

            People

              nikhil.diwan Nikhil Diwan
              nikhil.diwan Nikhil Diwan
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: