Help resolving vulnerability in auth-refresh file

Our security team has found a potential XSS vulnerability in a file called auth-fresh.js. Has anyone ever encountered this? I believe it has something to do with gadgets but that is as far as I have been able to determine. I can't find this JavaScript file on the server. The exact text of the message (from IBM app scan) is:

DOM based cross-site scripting

It may be possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user

Any help would be appreciated.




1 answer

0 votes

Hi Thomas,

I checked my server and did not find any references to that file either.  I would look to see if you're running a third party script/add-on that could be causing this.  The only reference I found to that was here.  That came from this project.



Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

3,149 views 13 19
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot