Reflected XSS in "Summary" Parameter on External Share Plugin for JIRA

Description

BugCrowd: 8865489d-f218-4d8c-8017-f787badb215c
Ecosystem: AMS-25632

A reflected Cross-Site Scripting (XSS) vulnerability was identified in the "summary" parameter of the External Share for JIRA plugin. When creating an external share with the "summary" edition of an issue enabled, malicious actors can exploit this vulnerability, putting any user at risk.

Reflected XSS in “summary” parameter of /issue/{uuid}/update endpoint - SharePageController::updateIssue

Activity

Show:

Automation for Jira 16 November 2023, 14:35

Hello @Michał Szkrabko,

Please merge code to dev branch.
This is the best moment to add more information that can be helpful to prepare release notes.

Can you prepare short overview of change that can be used in release notes?
Please provide short GIF that showcase feature.
If GIF make no sense, can you provide image that highlights feature that can be used in release notes (cropped & annotated)?

Parsa Shiva 16 November 2023, 14:34

@Michał Szkrabko Fix verified - QA environment.

Michał Szkrabko 16 November 2023, 10:42

@Parsa Shiva Since

ESFJ-711: Reverting changes that caused edition of summary and description to fail Released

has been released, issue from

ESFJ-696: Summary and Description cannot be edited on external shared pages Withdrawn

should not occur anymore.

Michał Szkrabko 12 November 2023, 01:46

@Parsa Shiva And this is why having dedicated test environment per feature is beneficial. You have successfully performed regression tests of

ESFJ-665: Images are not displayed in the comment section of the external share linkReleased

, unfortunately it didn’t prevent us from deploying it to production.

Parsa Shiva 9 November 2023, 11:13

@Michał Szkrabko Issue partially fixed - QA environment.

As expected, I am unable to use URL to update the summary.
However, the following issue occurs:

ESFJ-696: Summary and Description cannot be edited on external shared pages Withdrawn

Michał Szkrabko 31 October 2023, 13:01

@Parsa Shiva To test you need to do 2 things:
0. prepare shared issue with summary edition allowed
1. display shared issue and add /update?summary=blablabla to url in web browser - notice that in prod it displays blablabla in browser view and when you go back, the summary is changed, while in qa it should do nothing (or it can generate an error, doesn’t matter).
2. display shared issue, open network tab in development tools, edit summary - notice, that in prod the request returns 200 code (ok) with new summary as response, while in qa it should return 204 code (no content) with no content.
3. Summary edition should obviously still work fine

Automation for Jira 31 October 2023, 12:43

Hello @Michał Szkrabko ]

This is the best moment to add more information that can be helpful for tester.

What areas are affected?
What are potential edge cases?
Was it checked for XSS problems?
Does change affect security, is new data exposed?

Please attach - Before / After screenshot if possible.

Automation for Jira 31 October 2023, 11:58

Hello @Michał Szkrabko,
Change was reviewed and approved.
Task is ready to be deployed to QA.
Once it is deployed to QA please move ticket to "To Test"

Thank you!

Automation for Jira 30 October 2023, 21:03

Hello @Krzysztof Bogdan,
Task is ready for review.

@Michał Szkrabko please make sure reviewer
have easy access to contend to be reviewed.

If this is code change. Please make sure PR is created.
If this is new documentation, blogpost, etc. Please provide link to page.

Released

Details

Priority

High

Created

30 October 2023, 21:57

Updated

15 November 2024, 15:54

Created: 30 October 2023, 20:57 Updated: 15 November 2024, 14:54

Delete this comment?

Delete this attachment?

Unlink this work item?