-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2022-050 
Product:                   Timesheet Tracking for Jira
Manufacturer:              TouchDown
Affected Version(s):       4.1.4
Tested Version(s):         4.1.4 on Jira DataCenter v9.2.0
Vulnerability Type:        Stored Cross-Site Scripting (CWE-79) 
Risk Level:                Medium
Solution Status:           Open
Manufacturer Notification: 2022-10-18
Solution Date:             Unknown
Public Disclosure:         2023-04-14
CVE Reference:             CVE-2022-44726
Author of Advisory:        Patrick Schlüter, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Timesheet Tracking for Jira is a timesheet plug-in for Jira.

The manufacturer describes the product as follows (see [1]):

"Top 3 Trending time tracking app! Powerful and easy to use timesheet
reports based on users worklogs"

Due to missing input sanitization, the calendar view is vulnerable to
cross-site scripting (XSS) attacks.

In order to exploit the vulnerabilities, the attacker needs to be able
to change an existing issue's title or create a new issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The calendar view provided by this plug-in is prone to XSS attacks. 
These vulnerabilities allow an attacker to inject malicious JavaScript 
code into a page's DOM or the server's replies. When other users visit 
a page containing the embedded code, it will be executed by their 
browsers. This allows the attackers to perform actions in the context 
of the attacked users.

The found vulnerabilities allow attackers to attack users who either
create a new calendar entry themselves or users who visit a calendar
entry created by the attacker.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

For testing purposes, the add-on of the manufacturer[1] was used in
a clean, local Jira Server installation running on port 8080.

First, a new issue was created which had the following title: 

<s>XSS<img src=1 onerror="alert('XSS in issue title')">

Then, the calendar view was opened by clicking on "Quick Timesheet" in
the menu bar and selecting the "Calendar View" entry. In the calendar
view, the dialog of creating a new entry is opened by clicking the plus
sign below any of the days. When the drop-down menu for the issue is 
selected, the application performs an HTTP GET request to
http://localhost:8080/rest/reportrest/1.0/reportrestglobal/search-issues-picker?q=.

The server responded with a list of issues that contained the XSS
payload:

[{"id":"10001",
"issueTypeIconUrl":"/secure/viewavatar?size=xsmall&avatarId=10318&avatarType=issuetype",
"issueKey":"TEST-2",
"issueSummary":"<s>XSS<img src=1 onerror=\"alert('XSS in issue title')\">"}]

This data is then added to the page's DOM using JavaScript, which 
causes the XSS payload to trigger and, in this case, show an alert 
box. When the added HTML is inspected using the browser's developer 
tools, it can be seen that the XSS payload was interpreted as HTML 
tags. This also caused the browser to close the <s> tag the payload
has opened:

<div class="select2-result-label">
<div title="<s>XSS<img src=1 onerror=&quot;alert('XSS in issue title')&quot;>">
<img class="icon" alt="" src="http://localhost:8080/secure/viewavatar?size=xsmall&amp;avatarId=10318&amp;avatarType=issuetype">
 TEST-2 - <s>XSS<img src="1" onerror="alert('XSS in issue title')"></s>
</div>
</div>

When a calendar entry (which is linked to the issue with the XSS 
payload) is created, another XSS vulnerability can be seen.
To trigger this, the page needs to be reloaded or the user's 
calendar needs to be viewed by another user.
When this is done, the XSS payload should be triggered again,
resulting in another pop-up. When inspecting the calendar entry
using the browser's developer tools, the following HTML contents can
be seen:

<div class="informationSection">
<div class="issueSummarySection" title="<s>XSS<img src=1 onerror=" alert(&#39xss="" in="" issue="" title')"="">
"&gt;
<s>XSS<img src="1" onerror="alert('XSS in issue title')"></s>
</div>
<s> <div id="commentSection" class="commentSection">12</div> </s></div>

Here, again, the issue's title was insecurely inserted into the page's 
DOM. In the second line, it can also be seen that the quotes in the 
payload were not properly escaped, which caused the rest of the payload
to be interpreted as HTML attributes. This could also be abused for an
XSS attack.

Lastly, to the left of the calendar, a tab called "Recent" was shown 
by default. Here, the XSS payload was also not escaped, but was truncated
after a small number of characters, which prevented the payload from
being executed:

<b style="float: left;">
<s>XSS<img src="1" onerror="alert('XS...</b></div>
<div class=" commentsection"="" id="commentSection"></s>
</b>


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

For the manufacturer:
The issue's name (and all other input that is user controllable) should
be properly escaped everywhere before being added in the page, or
HTML injection-safe JavaScript functions like document.createTextNode()
should be used.

For administrators:
So far, no patch has been released by the manufacturer.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-10-18: Vulnerability reported to manufacturer
2022-10-26: Contacted manufacturer again due to not receiving a response
2023-04-14: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Timesheet Tracking for Jira
    https://marketplace.atlassian.com/apps/1216988/timesheet-tracking-for-jira?tab=overview
[2] SySS Security Advisory SYSS-2022-050
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-050.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Patrick Schlüter of SySS
GmbH.

E-Mail: patrick.schlueter@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Patrick_Schlüter.asc
Key ID: 0x2F86A35CF24BD3BB
Key Fingerprint: 5089 52DD 4550 1B5A 01BB  7827 2F86 A35C F24B D3BB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUIlS3UVQG1oBu3gnL4ajXPJL07sFAmQucsEACgkQL4ajXPJL
07sPRhAAujAIl69/xJb5HAb4QqNvC2EH6dyVPLG0Rk2yvPRXVTKSF4ma8sf7vnIp
Oyb+wB67Fwj4xWINok79NwoO5V6PwGAQtCih1ncSIPn11tlTbrAiLNJ2C6AKuJRq
ImWde5+1T3Sx47sjrqDXMa2xzZpjPZZ4q01UT5O08XdfbXKchxBOBl7nPZQLs8cO
/7QKIX7r+INeGH67GSNIgWFKUAoL7UWR8FR6p5al4zPNxDDfSRj9DU3fLUe1fKgn
nWUdGqKEdxM2FUw8/OJzLqz5Sg7rv6bv6Usumxb5lorKe6Rr0lm0rT2atBr9FQsm
O2kDCqWxeA9wkBAg1hR7/Hn3gya5hFUFygU8qduB2H+v31pvI0Wvo3K+eiWV/YOA
FN5A5WSjBZI50RZkRtWzy4yue/Kq2VdltZGZrEPGgbp69+WlQgtpm28unm3CMkao
WdS0IUkOl4RmUiLl0fvSsH0mmExYXVuStiyGRinLsrCqNMxUKg9+IeuM0WJGHOVY
SbiwYsvN5qSuBxIPxgdOyc2VklMmdb4L89563G/QEgi97nr1YZt06Vu+88hhLi+B
rUKeJg9bOnTEX6oc4WST6m/MpDY2J2E/MdGIxqyiRs/bhCIcaCNCW4S/Hid0rMXc
mcYDn5m07YqSiqHnigpWfIbIbj0W8JjXCnn0w5He2zBrSFPGNV0=
=wfb6
-----END PGP SIGNATURE-----