[XRAY-4692] XSS vulnerabilities in Test Run page - Xblend Issue Tracker

Xporter

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: R3.5.3
Fix Version/s: R3.5.5
Component/s: Security, Test Run Review
Labels:
- security_vulnerability_medium

Requirement Status:
OK
- 1

Description

There are (at least) two XSS vulnerabilities (JS code injection) into the HTML code of the Test Run page.

This was reproduced in Jira 7.13.1 (however, any version should do it) and Xray 3.5.3.

Steps to reproduce (Generic field entry point):

Create a new Generic Test issue
In the Generic Test Definition field write: <script>alert("XSS")</script>
Create a new Test Run: “Execute In” -> “New Test Execution”
Open the Test Run page -> You will see the alert in the page

Steps to reproduce (Pre-Condition Summary entry point):

Create a new Test
In the Test Issue click on "Create Pre-Condition"
In the summary field write: <script>alert("XSS PreCond")</script>
Create a new Test Run: “Execute In” -> “New Test Execution”
Open the Test Run page -> You will see the alert in the page

Attachments

Issue Links

implements

XRAY-3909 JS is being injected in the Test Repository page

Closed

Activity

People

Assignee:: Paulo Alves

Reporter:: Hugo Braz [X] (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 13/Nov/19 2:09 PM

Updated:: 18/Feb/21 4:42 PM

Resolved:: 18/Feb/21 4:42 PM

Time Tracking

Estimated:

0m

Remaining:

0m

Logged:

2d 6h 30m