CVE-2019-8444
An exploitable XSS vulnerability exists in the WikiRenderer functionality of Atlassian Jira, from version 7.6.4 to 8.1.0. A specially crafted comment can cause a persistent XSS. An attacker can create a comment or worklog entry to trigger this vulnerability.
Atlassian Jira 7.6.4 Atlassian Jira 7.7.0 Atlassian Jira 8.1.0
https://www.atlassian.com/software/jira
7.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Parsing of comments or worklogs that use the wikirenderer are susceptible to malformed input which will result in a persistent XSS. The renderer markup format supports setting attributes for embedded images, with an attr=val format. The renderer also supports parsing URLs to create links in the rendered output. However, the renderer also creates URLs for image attributes that have a value starting with http:. Combining these two behaviors allows for creating malformed HTML output. This can be leveraged to execute arbitrary JavaScript.
To demonstrate the issue on versions 7.6.4-7.7.0, create an issue comment with the following content:
!https://cdn.cnn.com/cnn/.e1mo/img/4.0/logos/logo_cnn_badge_2up.png|width=http://onmouseover=alert(42);//!
The same issue can be demonstrated on version 8.1.0, using the following content:
!image.png|width=\" onmouseover=alert(42);//!
2019-05-14 - Vendor disclosure
2019-09-09 - Vendor patched
2019-09-12 - Public release
Discovered by Ben Taylor of Cisco ASIG.