CVE-2008-6831

Vulnerability

Atlassian JIRA Enterprise Edition versions up to and including 3.13 contain multiple cross-site scripting (XSS) vulnerabilities. The ViewProfile page does not HTML-escape the fullname (Full Name) parameter, allowing stored XSS when a user's profile is viewed. Additionally, the returnUrl parameter in forms (e.g., secure/AddComment!default.jspa) is not properly sanitized, enabling reflected XSS. These issues are fixed in JIRA 3.13.1 [1].

Exploitation

For the stored XSS in ViewProfile, an attacker with the ability to create or edit a user (e.g., via public signup or direct user creation) can set a crafted fullname containing JavaScript. When another user visits that profile, the script executes in their browser session. For the reflected XSS on returnUrl, an attacker can craft a malicious link (e.g., via email or web page) that, when clicked by an authenticated JIRA user, executes arbitrary script in the context of the JIRA application. No special network position is required beyond internet access to the JIRA instance [1].

Impact

Successful exploitation allows an attacker to execute arbitrary web script or HTML in the context of the victim's browser session. This can lead to theft of session cookies or other credentials (sent to an attacker-controlled server), unauthorized actions on behalf of the victim, or potential system compromise depending on the victim's privileges. The severity is rated HIGH by Atlassian [1].

Mitigation

The vulnerabilities are fixed in JIRA 3.13.1, released on 2008-10-29 (per the advisory date). Users should upgrade to JIRA 3.13.1 or later. No patches are available for older versions. As a workaround, disable anonymous access and public signup, or restrict JIRA access to trusted groups until the upgrade can be applied [1].