Uploaded image for project: 'Xray for Jira'
  1. Xray for Jira
  2. XRAY-6612

Stored XSS at Xray in Test issue by Import Steps issue

    XporterXMLWordPrintable

Details

    • XRAY 2020 Sprint 7
    • OK

    Description

      Steps:

      1. Create Two Test Issue (A) and (B).
      2. Go to Test Issue A and from Test Details section click in Add step button Fill out the fields and click Add.

      Exploit:

      1. Malicious user Go to Test Step Custom Fields
      2. Click in Create button to Custom fields.|
      3. In name filed inject XSS Payload. and Make this field required
      4. Now if any other user/Admin go to Test issue B and try import step issue. the XSS payload reflected on target browser.
      5. Just change the data to "Don't map this field" to have the validate button enabled

       

       

      Attachments

        Issue Links

          Activity

            People

              masg Marco Guedes
              dpca Diamantino Campos
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour, 50 minutes
                  1h 50m