Vulnerability notification: User Profiles for Jira
Summary | JavaScript code can be injected into User Profile Configuration Advanced Options page. |
---|---|
Advisory Release Date | 4 December 2020 |
Product | User Profiles for Jira |
Affected Versions | all User Profiles for Jira versions until 2.4.1 |
Fixed Version | 2.4.1 |
Problem
We were able to identify security vulnerabilities in our User Profile for Jira app. The vulnerabilities allows user to inject JavaScript code into user profile configuration advanced options page. The injection of JavaScript is possible for privileged user who has permission to create or modify profile elements.
The vulnerability has been rated as P3 according to the scale published under the Bugcrowd’s Vulnerability Rating Taxonomy (VRT).
Solution
If you are using User Profiles for Jira in one of the affected versions until 2.4.0 please update to User Profiles for Jira 2.4.1.
Root Cause
Because of incorrect escaping our app would render data provided by an attacker as HTML. This qualifies as cross-site scripting (XSS) vulnerability. The HTML code which might contain JavaScript will then be executed in the context of the user viewing the content. This kind of vulnerability could be exploited for different attacks, including an escalation of privileges.