Uploaded image for project: 'Xray for Jira'
  1. Xray for Jira
  2. XRAY-5315

Stored XSS project name field

    XporterXMLWordPrintable

Details

    • R4.0.0 Blue S5
    • OK

    Description

      Description

      The Requirement Projects does not encode html name of project, a user who can edit project name or create new project can inject xss code, leads to XSS attack Admin User.

      Replication steps

      • Edit or create new project with name: <svg/onload=alert(1) />
      • Login to Admin > Go http://<ip_server>:8080/secure/admin/views/XrayRequirementProjectsConfiguration.jspa The malicious xss code is trigged.

       

      Attachments

        Activity

          People

            prpa Paulo Alves
            dpca Diamantino Campos
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 6 hours, 20 minutes
                6h 20m