An exploitable XSS vulnerability exists in the WikiRenderer functionality of Atlassian Jira, from version 7.6.4 to 8.1.0. A specially crafted comment can cause a persistent XSS. An attacker can create a comment or worklog entry to trigger this vulnerability.
Atlassian Jira 7.6.4 Atlassian Jira 7.7.0 Atlassian Jira 8.1.0
7.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Parsing of comments or worklogs that use the wikirenderer are susceptible to malformed input which will result in a persistent XSS. The renderer markup format supports setting attributes for embedded images, with an
attr=val format. The renderer also supports parsing URLs to create links in the rendered output. However, the renderer also creates URLs for image attributes that have a value starting with
To demonstrate the issue on versions 7.6.4-7.7.0, create an issue comment with the following content:
The same issue can be demonstrated on version 8.1.0, using the following content:
2019-05-14 - Vendor disclosure
2019-09-09 - Vendor patched
2019-09-12 - Public release
Discovered by Ben Taylor of Cisco ASIG.