Summary by Atlassian
A Stored XSS Vulnerability in Jira Service Management
A Stored XSS in Jira Service Desk "Reports" Via "Requests resolved"
Disclosed by norwin_boniao- Engagement Atlassian
- Disclosed date over 2 years ago
- Points 10
- Priority P3 Bugcrowd's VRT priority rating
- Status Resolved This vulnerability has been accepted and fixed
Summary by norwin_boniao
A Non-Authenticated users can execute Stored XSS attack using the Widget Chat in Service Desk when Inserting malicious script in Question field , The script executes in Requests resolved area.
Report details
-
Submitted
-
Target Location
Jira Service Management Cloud (bugbounty-test-<bugcrowd-name>.atlassian.net) -
Target category
Web App
-
VRT
Cross-Site Scripting (XSS) > Stored > Non-Privileged User to Anyone -
Priority
P3 -
Bug URL
Empty -
Description
Good Day:
Please allow me to report this Stored XSS in Jira Service Desk "Reports" Via "Requests resolved".
Where in Non-Authenticated users can execute a malicious script against Admin.Step To Reproduce:
Step1. As admin enables the widget for your Service Desk.https://norwin1.atlassian.net/servicedesk/admin/TESF/addon/com.atlassian.servicedesk.embedded__settings
Set up the widget so that it will go live publicly.Step2. when it is now live: a malicious user can execute an attack via asking a question with an xss payload
norwin"><img src="x" onerror="alert(document.domain)"></img>putting it inWhat is your question fieldand send it.
Step3. Admin now received the question and mark it as
resolved.
Now navigate to
https://norwin1.atlassian.net/jira/servicedesk/projects/TESF/reports/kb-requests-resolvedReportsthen go toRequest Resolved
now click the graph.
Step. XSS payload executed.
Thanks,
Norwin