Uploaded image for project: 'Xray for Jira'
  1. Xray for Jira
  2. XRAY-6396

Stored XSS in dashboard By "Test Run Assignee & Executed by" in "Test Runs List Gadget"

    XporterXMLWordPrintable

Details

    • XRAY 2020 Sprint 4
    • OK

    Description

      Steps:

      1. Go to Your Profile and in Profile Name filed inject XSS Payload: "><img src=x onerror=alert('Assigner')>
      2. Install Xray Test Management for Jira Server, Then go to Dashboard tab. and create new Dashboard.
      3. After create dashboard click in "add gadget" button.
      4. From gadget list Select Test Runs List.
      5. Now if victim filling Test Run Assignee OR Executed by fields. the payload will be reflected in the page.

       

      Attachments

        Activity

          People

            dpca Diamantino Campos
            dpca Diamantino Campos
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 10 minutes
                1h 10m