-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2022-040
Product: The Scheduler
Manufacturer: Transition Technologies PSC
Affected Version(s): 6.5.0
Tested Version(s): 6.5.0
Vulnerability Type: Stored Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Closed
Manufacturer Notification: 2022-05-27
Solution Date: 2022-07-12
Public Disclosure: 2022-07-13
CVE Reference: CVE-2022-32274
Author of Advisory: Lukas Faiß, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
The Scheduler is an add-on for Jira for scheduling issues in Jira.
The manufacturer describes the product as follows (see [1]):
"The Scheduler allows you to plan and automate your process – all you
need to do is to create issue template, define when it should be
created – and that’s all!"
Due to insufficient input validation of user-provided input,
The Scheduler is vulnerable to cross-site scripting (XSS) attacks.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The creation function of the scheduled issues add-on is prone to an
XSS attack. XSS vulnerabilities allow an attacker to embed malicious
JavaScript code into server replies which is later executed in the browsers
of other users. By executing JavaScript, attackers can, for example, perform
actions in the context of other logged-in users.
For testing purposes, the add-on of the manufacturer[1] was used in
a local Jira Server[4] installation.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
The creation function of the scheduled issues add-on is vulnerable to an
XSS attack.
If a project with the name "Pent" is created, it will be loaded via the following request when a
scheduled issue is created:
GET /rest/thescheduler/1.0/project?userKey=JIRAUSER31112&_=1652690457502 HTTP/2
Host: [REDACTED]
Cookie:
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
Accept: */*
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent:
Sec-Ch-Ua-Platform: "Linux"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://[REDACTED]/secure/pl.com.tt.thescheduler.CreateScheduledIssue_Step1!default.jspa?formId=5aa106a2-d33f-4157-b068-aeb067808c74
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
The response contains the project name. Within this page, the malicious
code will be executed.
Here is a line of the response that contains the malicious input:
...
{
"id":14661,
"key":"PSOPPPP",
"name":"PentProj",
"avatar":"https://[REDACTED]/secure/projectavatar?size=xsmall&avatarId=12473"
},
{
"id":14760,
"key":"PEN3",
"name":"PentProj3",
"avatar":"https://[REDACTED]/secure/projectavatar?size=xsmall&avatarId=12473"
},
{
"id":14761,
"key":"PSOP",
"name":"PentProj4",
"avatar":"https://[REDACTED]/secure/projectavatar?size=xsmall&avatarId=12473"
},
...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Context-sensitive HTML encoding of user input.
More information:
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_
Prevention_Cheat_Sheet.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2022-05-12: Vulnerability discovered
2022-05-27: Vulnerability reported to manufacturer
2022-07-12: Patch released by manufacturer
2022-07-13: Public disclosure of vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for The Scheduler
https://marketplace.atlassian.com/apps/37456/the-scheduler?hosting=server&tab=overview
[2] SySS Security Advisory SYSS-2022-040
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-040.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy
[4] Jira Core Server
https://www.atlassian.com/software/jira/core/download
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Lukas Faiß of SySS GmbH.
E-Mail: lukas.faiss@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Lukas_Fai%C3%9F.asc
Key Fingerprint: A145 2068 8E74 5053 A7BE 97C3 D78E AE2E B739 3EEA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoUUgaI50UFOnvpfD146uLrc5PuoFAmLNgL4ACgkQ146uLrc5
PuoR9Q//c4NuJvRM0wa1HPS78S0KNLfoWpyDLzZARfE5nKHSujY/pQd5ATw9zcMd
JYw2tZ9wmxd+jv3XwFWwjbmRzbx3LNgeH3enKtEElI2ePJCNlK/Y8KazLuVtOhtz
kKSGapYEfyilMfb7yVTG/n3sJCetiVXckbSF02Ss7UjXuFVCNVQdO3+UrxPYv7C2
NOQEmO66YX4L7ZJR6xuDmwt3b4BoXzR0qyN3kZUyo0E1bnOCHlI5V5vzO7KmM73T
jPY9JHRK9PbkAllIhF3eKi1RFb62QBj0hkYxJB013J/EiFJjpdhKikVI2BstoFbH
veCTL2zaFBgDhhBw7Rso7LcC8MwCkzGDA046C6vchDHdAa8EutE4UwgzfschGj/4
4MDWsIhQrKMSwInXIHc0MI1PrNT86itA3dT6SmVVYT48bzv8K9qQrOoZmO8yJhxK
r4SYOMv5PzhffJxL5y2Irj0TGAoyjd8OGbOmxrpUSvNvvwZq7KUQb4ymnTcvv6Fk
3pVQXV5tLWcC3rzhEfuuSTkGViK1R1DAk0dN5XPPEaWURsV0zH+w5JXmfKpftYRZ
NOqcJ0TYiNc3XZ4QYmbnlj0rfF80ePfPze8Q5LuHgKSljR42qEBnGrIXV3DP9dGb
pwLYcg1/wkrt4HHAp8oh9i60QtuCv5KVdNYKknaoFCk1Bw0Hd70=
=JJZ1
-----END PGP SIGNATURE-----