Some of the REST resources in Navigator plugin are susceptible to XSRF attacks

2013-07-11T08:18:18
ID ATLASSIAN:JRASERVER-33849
Type atlassian
Reporter bbain
Modified 2018-10-16T00:45:10

Description

Most of the REST resources in the Navigator plugin accept "x-www-form-urlencoded" bodies but do not check for an XSRF token when making mutative changes. For example:

  • SaveFilterResource: Allow XSRF attack to change user's filter.
  • SuppressedTipsResource
  • UserSearchModeResource
  • PreferredSearchLayoutResource
  • IssueTableResource: Allow XSRF attack to change the user's current search. *...