Advertisement






Atlassian Jira Server/Data Center 8.16.0 Cross Site Scripting

CVE Category Price Severity
CVE-2021-26078 CWE-79 $5,000 High
Author Risk Exploitation Type Date
Unknown High Remote 2021-06-28
CPE
cpe:cpe:/a:atlassian:jira_server:8.16.0
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N 0.035294 0.65407

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021060165

Below is a copy:

Atlassian Jira Server/Data Center 8.16.0 Cross Site Scripting
# Exploit Title: Atlassian Jira Server/Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)
# Date: 06/05/2021
# Exploit Author: CAPTAIN_HOOK
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/jira/download/data-center
# Version: versions < 8.5.14, 8.6.0  version <  8.13.6, 8.14.0  version < 8.16.1
# Tested on: ANY
# CVE : CVE-2021-26078

Description: 

The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via across site scripting (XSS) vulnerability
*Fixed versions:*

   - 8.5.14
   - 8.13.6
   - 8.16.1
   - 8.17.0

POC:

   - *Story points* custom field that exists by default in all JIRA Server has 3 types of Search template ( None , number range searcher, number searcher) By default the value of Search template is number range searcher OR number searcher. if the value of Search template was set on number range searcher the JIRA server is vulnerable to XSS attack by lowest privilege . For Testing Check the Story points custom field and it's details ( for verifying that the Search template sets on number range searcher) with your ADMIN account ( just like the images) and in the other window Type this With your least privilege
user : jql=issuetype%20%3D%20Epic%20AND%20%22Story%20Points%22%20%3C%3D%20%22%5C%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E%22%20AND%20%22Story%20Points%22%20%3E%3D%20%221%22
Your XSS Will be triggered immediately.

Reference:
https://jira.atlassian.com/browse/JRASERVER-72392?error=login_required&error_description=Login+required&state=9b05ec1f-587c-4014-9053-b6fdbb1efa21

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.