The JIRA/Crowd applications fail to properly sanitize user input in the query string of the website or in the value of a parameter

Type atlassian
Reporter rkumar66
Modified 2017-04-12T22:57:03


{panel:bgColor=#e7f4fa} NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? [See the corresponding suggestion|]. {panel}

We need to avoid Cross-site Scripting vulnerabilities. A function should be created to provide server side and client side input validation where applicable. Special characters should be stripped out during the validation process. The following special characters should be stripped out if unnecessary: [1] | (pipe sign) [2] & (ampersand sign) [3] ; (semicolon sign) [4] $ (dollar sign) [5] % (percent sign) [6] @ (at sign) [7] ' (single apostrophe) [8] " (quotation mark) [9] \' (backslash-escaped apostrophe) [10] \" (backslash-escaped quotation mark) [11] <> (triangular parenthesis) [12] () (parenthesis) [13] + (plus sign) [14] CR (Carriage return, ASCII 0x0d) [15] LF (Line feed, ASCII 0x0a) [16] , (comma sign) [17] \ (backslash)

During testing, we found following urls to reproduce the Cross-site scripting (XSS) vulnerabilities.

Vulnerable Parameters: query, suggest

Vulnerable Parameters : projectOrFilterId

Vulnerable Parameters: projectOrFilterId, validate

Vulnerable Parameters: projectId,generate

Vulnerable Parameters: projectId, generate

Please find the attachment Cross_Site_Scripting.txt file for details in response.