DOM XSS in dhtmlHistory.js when using IE

Type atlassian
Reporter ccyd2
Modified 2017-02-20T02:53:20


In the createIE function inside [dhtmlHistory.js|] the value of the fragment identifier, is concatenated to create the html of an iframe without first being html escaped or url encoded. This results in a DOM XSS which is exploitable in internet explorer.

Steps to reproduce: 1. Create a project named 'testproject' that has a key of 'TESTP' 2. In Internet Explorer Go to https://$jiradomain/$contextpath/browse/TESTP#src="/></iframe><script>alert(3);</script> 3. If an alert prompt containing the number 3 does not appear try refreshing the page. 4. Observe an alert prompt containing the number 3 is shown.