CVE-2018–5230 | JIRA Cross Site Scripting

CVE Description

The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the error message of custom fields when an invalid value is specified.

Target: example.com

I was performing Recon on the target example.com

My Recon Steps:

1. Parameter Mining on Example.com using paramspider & Checking for open redirect , ssrf , xss on parameters mined

2. Subdomain Enumeration using sublist3r , assetfinder , amass , crt.sh , subfinder , findomain-linux , sudomy now sorting the subdomains uniquely & resolving them using httprobe

3. Using eyewitness to take screenshot of every subdomain

Now, While going through the screenshots I found subdomain.example.com

displaying a webpage with a simple message as shown

On further enumerating the endpoints I found out that this domain is using issue collector JIRA 7.1.1 and this is vulnerable to Cross Site Scripting

So I simply inserted the payload in the url bar

Payload : %3CIFRAME%20SRC%3D%22javascript%3Aalert(‘XSS’)%22%3E.vm

Vulnerable URL: subdomain.example.com/pages/%3CIFRAME%20SRC%3D%22javascript%3Aalert(‘XSS’)%22%3E.vm

Navigating the above url resulting into XSS getting executed.

CVE Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-5230

Timeline:

Reported: 2nd Oct 2020

Triaged: 6th Oct 2020

Rewarded: 9th Oct 2020

Twitter: https://twitter.com/parasarora06

LinkedIn: https://www.linkedin.com/in/parasarora06