## https://sploitus.com/exploit?id=1337DAY-ID-34791
Product: Jira module "Gantt-Chart for Jira"
Manufacturer: Frank Polscheit - Solutions & IT-Consulting
Affected Version(s): <=5.5.4
Tested Version(s): 5.5.3, 5.5.4
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2020-07-23
Solution Date: 2020-07-31
Public Disclosure: 2020-08-03
CVE Reference: CVE-2020-15944
Author of Advisory: Sebastian Auwaerter, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Gantt-Chart for Jira is a Jira module for displaying Gantt charts.
The manufacturer describes the product as follows (see [1]):
"High performance Gantt-Chart capable to display multi-projects with
10.000+ issues aggregating them as top-level big picture"
Due to missing validation of user input, the module is vulnerable to
a persistent cross-site scripting attack. As described in
security advisory SYSS-2020-029 (see [4]), it is also possible to
attack other users with this attack vector.
To exploit this vulnerability, an attacker has to be authenticated.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The vulnerability exists because the names of newly created filters
are not properly sanitized by the extension. A simple attack vector
like "<script>alert('XSS')</script>" can be chosen as the name of
a filter and is then displayed on every load of the vulnerable module.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
This security vulnerability can be reproduced by simply creating a new
filter with the "filter name" "<script>alert('XSS')</script>". Whenever
the dashboard with the vulnerable module is loaded, the attack vector
gets executed.
The following request is sent to the web server:
PUT /rest/gantt/1.0/user/properties/<chart_id>?userKey=<your_user_name>
HTTP/1.1
Host: <victim_host>
[...]
[...]"filters":{{"search":""},"<script>alert(\"XSS\")</script>"}[...]
!!! This filter can not be easily removed via the web interface. !!!
!!! Use with caution. !!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Update to software version 5.5.5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 0day.today [2020-08-05] #