Share
## https://sploitus.com/exploit?id=1337DAY-ID-34791
Product: Jira module "Gantt-Chart for Jira"
Manufacturer: Frank Polscheit - Solutions & IT-Consulting
Affected Version(s): <=5.5.4
Tested Version(s): 5.5.3, 5.5.4
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2020-07-23
Solution Date: 2020-07-31
Public Disclosure: 2020-08-03
CVE Reference: CVE-2020-15944
Author of Advisory: Sebastian Auwaerter, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Gantt-Chart for Jira is a Jira module for displaying Gantt charts.

The manufacturer describes the product as follows (see [1]):

"High performance Gantt-Chart capable to display multi-projects with
10.000+ issues aggregating them as top-level big picture"

Due to missing validation of user input, the module is vulnerable to
a persistent cross-site scripting attack. As described in
security advisory SYSS-2020-029 (see [4]), it is also possible to
attack other users with this attack vector.

To exploit this vulnerability, an attacker has to be authenticated.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The vulnerability exists because the names of newly created filters
are not properly sanitized by the extension. A simple attack vector
like "<script>alert('XSS')</script>" can be chosen as the name of
a filter and is then displayed on every load of the vulnerable module.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

This security vulnerability can be reproduced by simply creating a new
filter with the "filter name" "<script>alert('XSS')</script>". Whenever
the dashboard with the vulnerable module is loaded, the attack vector
gets executed.

The following request is sent to the web server:

PUT /rest/gantt/1.0/user/properties/<chart_id>?userKey=<your_user_name>
HTTP/1.1
Host: <victim_host>
[...]

[...]"filters":{{"search":""},"<script>alert(\"XSS\")</script>"}[...]

!!! This filter can not be easily removed via the web interface. !!!
!!!                   Use with caution.                          !!!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update to software version 5.5.5

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#  0day.today [2020-08-05]  #