XSS Vulnerabilities in JIRA 6.1

manojkumar3036 March 27, 2018

Hi,

I went through various references regarding the patches and issue solved for the XSS vulnerabilities. Currently i am using the JIRA version 6.1 and i want to edit the announcement banner. 

While doing so, i tried to inject an script with the text:

eg: Welcome <script>window.location.href="some site"</script>. When i did the changes, it made me to redirect to that particular mentioned site. So how should i prevent the open redirection or XSS vulnerabilities? Is there any way!! Please share/discuss. 

4 answers

0 votes
Sachin Gupta August 29, 2018
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
0 votes
manojkumar3036 March 27, 2018

@Daniel Wester Can you please confirm regarding the same in 7.1 or any higher version than this!!

0 votes
manojkumar3036 March 27, 2018

Thanks @Daniel Wester Is there any documentation related to it which states that the html is not allowed in the newer versions. Because i have checked the script injection or html tag in JIRA 6.1. 

0 votes
Daniel Wester
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 27, 2018

Probably not the answer you're not wanting - upgrade to the newer version of Jira and the announcement banner doesn't allow html anymore.

Suggest an answer

Log in or Sign up to answer