| ITEM | Comment |
|---|---|
| Software | Reminder for Jira – Follow Up Issues |
| Vendor | Teamlead |
| Version | < 2.6.6 |
| Type of Issue | Cross-Site Scripting |
| CWE | https://cwe.mitre.org/data/definitions/79.html |
| CVE | CVE-2023-30453 |
| OWASP | Testing for Stored Cross Site Scripting |
| Roles affected | All |
| CVSS | High – 8.5 |
| Credits | Sven Schlüter & Thore Imhof from Y-Security |
Summary
The Plugin Reminder for Jira gives users the ability to create simple reminders for themselves and other users within the same Jira instance. It is possible to embed HTML code directly within a single reminder, leading to a Cross-Site Scripting vulnerability, that can be used to target other users. The victim user simply has to view the reminder and the attacker’s payload will be triggered within the victim’s browser.
CVE-2023-30453 was assigned for this vulnerability.
Mitigation & Recommendation
The vulnerability has been fixed in version 2.6.6, although it is not mentioned explicitly which security vulnerabilities were fixed with this patch.
It is recommended to upgrade the plugin to the latest version, which fixes this vulnerability. We tested the updated plugin to ensure this vulnerability can no longer be exploited.
We closely follow the OWASP Guidelines when performing penetration tests and we recommend following the Cross-Site Scripting Prevention Cheat Sheet to successfully mitigate Cross-Site Scripting vulnerabilities.
Disclosure Policy
At Y-Security we take security vulnerabilities seriously and follow a responsible disclosure policy. The 90-day disclosure deadline was exceeded and therefore we decided to disclosure the vulnerability after a fix had been released.
Disclosure Timeline
| DATE | COMMENT |
|---|---|
| 04.11.2022 | Y-Security discovered security vulnerability & communicated to client |
| 22.12.2022 | Y-Security reported issue to Atlassian Bugcrowd Program |
| 23.12.2022 | Bugcrowd unable to reproduce issue / requested further information |
| 02.01.2023 | Y-Security provided additional information and Video Proof of Concept |
| 04.01.2023 | Bugcrowd reproduced & acknowledged issue |
| 13.01.2023 | Bugcrowd forwarded issue to Product Owner |
| 16.01.2023 | Y-Security requested CVE via Bugcrowd |
| 30.01.2023 | Y-Security requested update |
| 01.02.2023 | Bugcrowd declined CVE request |
| 01.03.2023 | Y-Security reminded Bugcrowd of disclosure date |
| 02.03.2023 | Bugcrowd provided status update |
| 03.03.2023 | Teamlead confirmed working on fix |
| 07.03.2023 | Y-Security coordinated fix with client |
| 13.03.2023 | Y-Security giving notice of disclosure policy |
| 17.03.2023 | Teamlead released fix |
| 04.04.2023 | Y-Security requested update with no response |
| 10.04.2023 | CVE assigned (CVE-2023-30453) |
| 11.04.2023 | Y-Security informed Bugcrowd of assigned CVE |
| 16.05.2023 | Y-Security disclosed CVE-2023-30453 |
Author
Thore Imhof
thore@y-security.de
Y-Security GmbH
16. May 2023