Headline
CVE-2022-32274
The Transition Scheduler add-on 6.5.0 for Atlassian Jira is prone to stored XSS via the project name to the creation function.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-040 Product: The Scheduler Manufacturer: Transition Technologies PSC Affected Version(s): 6.5.0 Tested Version(s): 6.5.0 Vulnerability Type: Stored Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Closed Manufacturer Notification: 2022-05-27 Solution Date: 2022-07-12 Public Disclosure: 2022-07-13 CVE Reference: CVE-2022-32274 Author of Advisory: Lukas Faiß, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Scheduler is an add-on for Jira for scheduling issues in Jira. The manufacturer describes the product as follows (see [1]): “The Scheduler allows you to plan and automate your process – all you need to do is to create issue template, define when it should be created – and that’s all!” Due to insufficient input validation of user-provided input, The Scheduler is vulnerable to cross-site scripting (XSS) attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The creation function of the scheduled issues add-on is prone to an XSS attack. XSS vulnerabilities allow an attacker to embed malicious JavaScript code into server replies which is later executed in the browsers of other users. By executing JavaScript, attackers can, for example, perform actions in the context of other logged-in users. For testing purposes, the add-on of the manufacturer[1] was used in a local Jira Server[4] installation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The creation function of the scheduled issues add-on is vulnerable to an XSS attack. If a project with the name “Pent” is created, it will be loaded via the following request when a scheduled issue is created: GET /rest/thescheduler/1.0/project?userKey=JIRAUSER31112&_=1652690457502 HTTP/2 Host: [REDACTED] Cookie: Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", “Google Chrome";v="101” Accept: */* Content-Type: application/json; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Sec-Ch-Ua-Platform: “Linux” Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://[REDACTED]/secure/pl.com.tt.thescheduler.CreateScheduledIssue_Step1!default.jspa?formId=5aa106a2-d33f-4157-b068-aeb067808c74 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 The response contains the project name. Within this page, the malicious code will be executed. Here is a line of the response that contains the malicious input: … { "id":14661, "key":"PSOPPPP", "name":"PentProj", “avatar":"https://[REDACTED]/secure/projectavatar?size=xsmall&avatarId=12473” }, { "id":14760, "key":"PEN3", "name":"PentProj3", “avatar":"https://[REDACTED]/secure/projectavatar?size=xsmall&avatarId=12473” }, { "id":14761, "key":"PSOP", "name":"PentProj4", “avatar":"https://[REDACTED]/secure/projectavatar?size=xsmall&avatarId=12473” }, … ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Context-sensitive HTML encoding of user input. More information: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_ Prevention_Cheat_Sheet.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-12: Vulnerability discovered 2022-05-27: Vulnerability reported to manufacturer 2022-07-12: Patch released by manufacturer 2022-07-13: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for The Scheduler https://marketplace.atlassian.com/apps/37456/the-scheduler?hosting=server&tab=overview [2] SySS Security Advisory SYSS-2022-040 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-040.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Jira Core Server https://www.atlassian.com/software/jira/core/download ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Lukas Faiß of SySS GmbH. E-Mail: [email protected] Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Lukas_Fai%C3%9F.asc Key Fingerprint: A145 2068 8E74 5053 A7BE 97C3 D78E AE2E B739 3EEA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided “as is” and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoUUgaI50UFOnvpfD146uLrc5PuoFAmLNgL4ACgkQ146uLrc5 PuoR9Q//c4NuJvRM0wa1HPS78S0KNLfoWpyDLzZARfE5nKHSujY/pQd5ATw9zcMd JYw2tZ9wmxd+jv3XwFWwjbmRzbx3LNgeH3enKtEElI2ePJCNlK/Y8KazLuVtOhtz kKSGapYEfyilMfb7yVTG/n3sJCetiVXckbSF02Ss7UjXuFVCNVQdO3+UrxPYv7C2 NOQEmO66YX4L7ZJR6xuDmwt3b4BoXzR0qyN3kZUyo0E1bnOCHlI5V5vzO7KmM73T jPY9JHRK9PbkAllIhF3eKi1RFb62QBj0hkYxJB013J/EiFJjpdhKikVI2BstoFbH veCTL2zaFBgDhhBw7Rso7LcC8MwCkzGDA046C6vchDHdAa8EutE4UwgzfschGj/4 4MDWsIhQrKMSwInXIHc0MI1PrNT86itA3dT6SmVVYT48bzv8K9qQrOoZmO8yJhxK r4SYOMv5PzhffJxL5y2Irj0TGAoyjd8OGbOmxrpUSvNvvwZq7KUQb4ymnTcvv6Fk 3pVQXV5tLWcC3rzhEfuuSTkGViK1R1DAk0dN5XPPEaWURsV0zH+w5JXmfKpftYRZ NOqcJ0TYiNc3XZ4QYmbnlj0rfF80ePfPze8Q5LuHgKSljR42qEBnGrIXV3DP9dGb pwLYcg1/wkrt4HHAp8oh9i60QtuCv5KVdNYKknaoFCk1Bw0Hd70= =JJZ1 -----END PGP SIGNATURE-----