← Advisories

Atlassian JIRA v6.0.3 Arbitrary HTML/Script Execution Vulnerability

Medium
Advisory ID
ZSL-2013-5151
Release Date
06 August 2013
Vendor
Atlassian Corporation Pty Ltd. - https://www.atlassian.com
Affected Version
6.0.3 and 6.0.2
CVE
CVE-2013-5319
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
Summary

JIRA is an issue tracking project management software for teams planning, building, and launching great products.

Description

JIRA suffers from a reflected XSS issue due to a failure to properly sanitize user-supplied input to the 'name' GET parameter in the 'deleteuserconfirm.jsp' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Proof of Concept
jira_xss.txtTXT
Disclosure Timeline
25.06.2013Vulnerability discovered.
26.06.2013Contact with the vendor.
26.06.2013Vendor replies asking more details.
26.06.2013Sent details to the vendor.
27.06.2013Vendor confirms the vulnerability.
28.06.2013Working with the vendor.
05.08.2013Vendor releases versions 6.0.5 and 6.1-OD-04 to address this issue.
06.08.2013Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://jira.atlassian.com/browse/JRA-34160
[2]https://jira.atlassian.com/browse/JRA/fixforversion/33790
[3]https://jira.atlassian.com/browse/JRA/fixforversion/34310
[4]http://packetstormsecurity.com/files/122721
[5]http://cxsecurity.com/issue/WLB-2013080065
[6]http://secunia.com/advisories/54417/
[7]http://www.securityfocus.com/bid/61647
[8]http://xforce.iss.net/xforce/xfdb/86311
[9]http://www.osvdb.org/show/osvdb/96070
[10]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-5319
[11]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5319
Changelog
06.08.2013Initial release
07.08.2013Added reference [4], [5], [6] and [7]
09.08.2013Added reference [8]
11.08.2013Added reference [9]
22.08.2013Added reference [10] and [11]