Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS

🗓️ 07 Apr 2021 00:00:00Reported by Captain_hookType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 722 Views

Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS, allows remote attackers to inject arbitrary HTML or JavaScript name

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS Vulnerability
7 Apr 202100:00
zdt
Atlassian		XSS in API and Integrations - CVE-2020-14166
18 Jun 202002:45
atlassian
Atlassian		XSS in API and Integrations - CVE-2020-14166
18 Jun 202002:45
atlassian
CNVD		Atlassian Jira Service Desk Server and Data Center Cross-Site Scripting Vulnerability
2 Jul 202000:00
cnvd
CVE		CVE-2020-14166
1 Jul 202001:35
cve
Cvelist		CVE-2020-14166
1 Jul 202001:35
cvelist
EUVD		EUVD-2020-6323
7 Oct 202500:30
euvd
NVD		CVE-2020-14166
1 Jul 202002:15
nvd
OSV		CVE-2020-14166
1 Jul 202002:15
osv
Packet Storm		Atlassian Jira Service Desk 4.9.1 Cross Site Scripting
7 Apr 202100:00
packetstorm
Rows per page
# Exploit Title: Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS
# Date: 07 Mar 2020
# Exploit Author: Captain_hook
# Vendor Homepage: https://www.atlassian.com/
# Version: < 4.10.0
# Tested on: All OS
# CVE: CVE-2020-14166

Summary:

The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file.

Steps to reproduce:

1- reach to this directory http://localhost:port/servicedesk/customer/portals?customize=true
2- There's a place where the banner can be uploaded when upload wizard popup you can see that the banner image restricted to image format, you can change that type easily
3- then you can upload HTML and javascript files and hijacking cookies or XSRF tokens.

Original report in bugcrowd:

https://bugcrowd.com/disclosures/61a50171-aa55-4126-b9f4-4e82b4b8c301/unrestricted-file-upload-stored-xss-for-token-hijacking
Original ticket in atlassian:

https://jira.atlassian.com/browse/JSDSERVER-6895?error=login_required&error_description=Login+required&state=28f8e754-fb05-4f5e-adda-79e252fe2c30

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Apr 2021 00:00Current
5.2Medium risk
Vulners AI Score5.2
CVSS 23.5
CVSS 3.14.8
EPSS0.0076
atlassian jira service deskunrestricted file uploadxssremote attackershtml injectionjavascript injectionsecurity vulnerability
722