Advisory ID: SYSS-2020-007 Product: Subversion ALM for enterprise Manufacturer: Marketplace Expert SL Affected Version(s): 8.8.1 Tested Version(s): 8.8.1 Vulnerability Type: Reflected Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Solved Manufacturer Notification: 2020-02-20 Solution Date: 2020-02-21 Public Disclosure: 2020-02-24 CVE Reference: CVE-2020-9344 Author of Advisory: Marius Rothenbuecher, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Subversion ALM is a app to integrate subversion (SVN) servers into Jira. The manufacturer describes the product as follows (see [1]): "The powerful, lightweight and native alternative to FishEye for Subversion and Jira" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Due to invalid input sanitization the software is vulnerable to reflected cross-site scripting attacks at multiple locations. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): https:///plugins/servlet/svnwebclient/changedResource.jsp?url="> https:///plugins/servlet/svnwebclient/commitGraph.jsp?');alert("XSS by SySS https:///plugins/servlet/svnwebclient/commitGraph.jsp?url="> https:///plugins/servlet/svnwebclient/error.jsp?errormessage='">&description=test https:///plugins/servlet/svnwebclient/statsItem.jsp?url= ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update Subversion ALM for enterprise to the newest version. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-02-20: Vulnerability discovered 2020-02-20: Vulnerability reported to manufacturer 2020-02-21: Patch released by manufacturer 2020-02-24: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Subversion ALM for enterprise https://marketplace.atlassian.com/apps/1211642/ [2] SySS Security Advisory SYSS-2020-007 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-007.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sascha Heider and Marius Rothenbuecher of SySS GmbH. E-Mail: sascha.heider (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sascha_Heider.asc Key Fingerprint: F99E 89B8 EF77 C34F 6F9F 0E19 06C4 F8D7 FCE9 AF94 E-Mail: marius.rothenbuecher (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Marius_Rothenbuecher.asc Key Fingerprint: 615E F88B 7C62 78D6 3EA5 9B78 09F8 9FFF 4941 B8E2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en