Atlassian Jira Service Desk 4.9.1 Cross Site Scripting

2021.04.10
Credit: Captain_hook
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2020-14166
CWE: CWE-79


CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS # Date: 07 Mar 2020 # Exploit Author: Captain_hook # Vendor Homepage: https://www.atlassian.com/ # Version: < 4.10.0 # Tested on: All OS # CVE: CVE-2020-14166 Summary: The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file. Steps to reproduce: 1- reach to this directory http://localhost:port/servicedesk/customer/portals?customize=true 2- There's a place where the banner can be uploaded when upload wizard popup you can see that the banner image restricted to image format, you can change that type easily 3- then you can upload HTML and javascript files and hijacking cookies or XSRF tokens. Original report in bugcrowd: https://bugcrowd.com/disclosures/61a50171-aa55-4126-b9f4-4e82b4b8c301/unrestricted-file-upload-stored-xss-for-token-hijacking Original ticket in atlassian: https://jira.atlassian.com/browse/JSDSERVER-6895?error=login_required&error_description=Login+required&state=28f8e754-fb05-4f5e-adda-79e252fe2c30


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top