Summary by Atlassian
Reflected Cross Site Scripting Attack in Slack integration in JIRA Software Server.
Reflected Cross Site Scripting while connection with Slack integration in Jira Server
Disclosed by mr_edwards- Engagement Atlassian
- Disclosed date almost 5 years ago
- Reward $300
- Priority P3 Bugcrowd's VRT priority rating
- Status Resolved This vulnerability has been accepted and fixed
Summary by mr_edwards
There was an XSS in Slack integration in JIRA.
Report details
-
Submitted
-
Target Location
Jira Core Data Center -
Target category
Web App
-
VRT
Cross-Site Scripting (XSS) > Reflected > Non-Self -
Priority
P3 -
Bug URL
[jira_host]/slack/oauth/redirect/THMAXLURM%3Cimg%20src=x%20onerror=alert%601%60%3E -
Description
There is an XSS vulnerability in the JIRA server which could lead to the stealing of user credentials like cookies and more.
Steps to reproduce:
- Go to the following URL :
[jira_host]/slack/oauth/redirect/THMAXLURM%3Cimg%20src=x%20onerror=alert%601%60%3E - You will get promted with '1' (XSS fired).
- Go to the following URL :
-
Extra info
Added screenshot.