[XRAY-6475] Stored XSS on XRay Server on XRay Report via "Saved Search" - Xblend Issue Tracker

Xporter

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: None
Fix Version/s: 4.2.0
Component/s: Core, Security
Labels:
- ignore_ait
- security_vulnerability_low

Sprint:
XRAY 2020 Sprint 5
Requirement Status:
OK
- 1

Description

The attacker can create a "save filter", name this filter with a long name, and then add an XSS payload at the end of the name in order not to attract attention. Where the vulnerability is exploited in this way without the need for user interaction, just pressing one button. Show PoC video in attachment.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

XrayXssExpolit.mp4
1.81 MB
25/Sep/20 10:49 AM

Issue Links

is cloned by

XRAY-6612 Stored XSS at Xray in Test issue by Import Steps issue

Closed

Activity

People

Assignee:: Pedro Rodrigues

Reporter:: Diamantino Campos

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 25/Sep/20 10:49 AM

Updated:: 11/Nov/20 4:58 PM

Resolved:: 11/Nov/20 4:58 PM

Time Tracking

Estimated:

Remaining:

Logged:

2h 50m