Atlassian JIRA v6.0.3 Arbitrary HTML/Script Execution Vulnerability
Title: Atlassian JIRA v6.0.3 Arbitrary HTML/Script Execution Vulnerability
Advisory ID: ZSL-2013-5151
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 06.08.2013
[26.06.2013] Contact with the vendor.
[26.06.2013] Vendor replies asking more details.
[26.06.2013] Sent details to the vendor.
[27.06.2013] Vendor confirms the vulnerability.
[28.06.2013] Working with the vendor.
[05.08.2013] Vendor releases versions 6.0.5 and 6.1-OD-04 to address this issue.
[06.08.2013] Coordinated public security advisory released.
[2] https://jira.atlassian.com/browse/JRA/fixforversion/33790
[3] https://jira.atlassian.com/browse/JRA/fixforversion/34310
[4] http://packetstormsecurity.com/files/122721
[5] http://cxsecurity.com/issue/WLB-2013080065
[6] http://secunia.com/advisories/54417/
[7] http://www.securityfocus.com/bid/61647
[8] http://xforce.iss.net/xforce/xfdb/86311
[9] http://www.osvdb.org/show/osvdb/96070
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-5319
[11] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5319
[07.08.2013] - Added reference [4], [5], [6] and [7]
[09.08.2013] - Added reference [8]
[11.08.2013] - Added reference [9]
[22.08.2013] - Added reference [10] and [11]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2013-5151
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 06.08.2013
Summary
JIRA is an issue tracking project management software for teams planning, building, and launching great products.Description
JIRA suffers from a reflected XSS issue due to a failure to properly sanitize user-supplied input to the 'name' GET parameter in the 'deleteuserconfirm.jsp' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.Vendor
Atlassian Corporation Pty Ltd. - https://www.atlassian.comAffected Version
6.0.3 and 6.0.2Tested On
Microsoft Windows 7 Ultimate SP1 (EN)Vendor Status
[25.06.2013] Vulnerability discovered.[26.06.2013] Contact with the vendor.
[26.06.2013] Vendor replies asking more details.
[26.06.2013] Sent details to the vendor.
[27.06.2013] Vendor confirms the vulnerability.
[28.06.2013] Working with the vendor.
[05.08.2013] Vendor releases versions 6.0.5 and 6.1-OD-04 to address this issue.
[06.08.2013] Coordinated public security advisory released.
PoC
jira_xss.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://jira.atlassian.com/browse/JRA-34160[2] https://jira.atlassian.com/browse/JRA/fixforversion/33790
[3] https://jira.atlassian.com/browse/JRA/fixforversion/34310
[4] http://packetstormsecurity.com/files/122721
[5] http://cxsecurity.com/issue/WLB-2013080065
[6] http://secunia.com/advisories/54417/
[7] http://www.securityfocus.com/bid/61647
[8] http://xforce.iss.net/xforce/xfdb/86311
[9] http://www.osvdb.org/show/osvdb/96070
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-5319
[11] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5319
Changelog
[06.08.2013] - Initial release[07.08.2013] - Added reference [4], [5], [6] and [7]
[09.08.2013] - Added reference [8]
[11.08.2013] - Added reference [9]
[22.08.2013] - Added reference [10] and [11]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk