Vulnerability notification: User Profiles for Jira

Summary

JavaScript code can be injected into User Profile Configuration Advanced Options page.

Advisory Release Date

4 December 2020

Product

User Profiles for Jira

Affected Versions

all User Profiles for Jira versions until 2.4.1

Fixed Version

2.4.1

Problem

We were able to identify security vulnerabilities in our User Profile for Jira app. The vulnerabilities allows user to inject JavaScript code into user profile configuration advanced options page. The injection of JavaScript is possible for privileged user who has permission to create or modify profile elements.

The vulnerability has been rated as P3 according to the scale published under the Bugcrowd’s Vulnerability Rating Taxonomy (VRT).

Solution

If you are using User Profiles for Jira in one of the affected versions until 2.4.0 please update to User Profiles for Jira 2.4.1.

Root Cause

Because of incorrect escaping our app would render data provided by an attacker as HTML. This qualifies as cross-site scripting (XSS) vulnerability. The HTML code which might contain JavaScript will then be executed in the context of the user viewing the content. This kind of vulnerability could be exploited for different attacks, including an escalation of privileges.