[XRAY-6382] Stored XSS on XRay Server on XRay Report via custom field - Xblend Issue Tracker

Xporter

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: 4.1.4
Fix Version/s: 4.1.6
Component/s: Report, Security
Labels:
- ignore_ait
- security_vulnerability_medium

Sprint:
XRAY 2020 Sprint 4
Requirement Status:
OK
- 1

Description

Steps:

Go to Custom Field
Click in Add Custom Field
Select any Custom Field type
Add name and Description Custom Field as XSS Payload.

"><img src=x onerror=alert(document.cookie)>
5 Click save Custom Field Then go to Xray Report. http://localhost:8080/secure/XrayReport!default.jspa?selectedProjectKey=PRO
6 Now click in Filter(s) Button and Click in More drop list
7 Search for the "custom field" you added "><img src=x onerror=alert(document.cookie)>, And choose it
8 Now it will add it as a field. Enter any value in this field and click Apply.
9 After click apply XSS Payload fire in your browser.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

image-2020-08-28-09-37-55-436.png
28/Aug/20 9:37 AM
150 kB
Diamantino Campos

Activity

People

Assignee:: Diamantino Campos

Reporter:: Diamantino Campos

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 28/Aug/20 9:38 AM

Updated:: 3 days ago 10:28 AM

Resolved:: 21/Oct/20 3:13 PM

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: