Merge pull request #5844 from projectdiscovery/CVE-2019-3402

Fix FP CVE-2019-3402
patch-1
Prince Chaddha 2022-10-28 09:55:58 +05:30 committed by GitHub
commit e2e38872cb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 6 deletions

View File

@ -4,7 +4,8 @@ info:
name: Jira < 8.1.1 - Cross-Site Scripting name: Jira < 8.1.1 - Cross-Site Scripting
author: pdteam author: pdteam
severity: medium severity: medium
description: Jira before 8.1.1 contains a cross-site scripting vulnerability via ConfigurePortalPages.jspa resource in the searchOwnerUserName parameter. description: |
Jira before 8.1.1 contains a cross-site scripting vulnerability via ConfigurePortalPages.jspa resource in the searchOwnerUserName parameter.
reference: reference:
- https://gist.github.com/0x240x23elu/891371d46a1e270c7bdded0469d8e09c - https://gist.github.com/0x240x23elu/891371d46a1e270c7bdded0469d8e09c
- https://jira.atlassian.com/browse/JRASERVER-69243 - https://jira.atlassian.com/browse/JRASERVER-69243
@ -15,6 +16,7 @@ info:
cve-id: CVE-2019-3402 cve-id: CVE-2019-3402
cwe-id: CWE-79 cwe-id: CWE-79
metadata: metadata:
verified: true
shodan-query: http.component:"Atlassian Jira" shodan-query: http.component:"Atlassian Jira"
tags: cve,cve2019,atlassian,jira,xss tags: cve,cve2019,atlassian,jira,xss
@ -25,12 +27,18 @@ requests:
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word
part: body
words:
- "'<script>alert(1)</script>' does not exist"
- type: word
part: header
words:
- text/html
- type: status - type: status
status: status:
- 200 - 200
- type: word
words:
- "<script>alert(1)</script>"
part: body
# Enhanced by mp on 2022/08/31 # Enhanced by mp on 2022/08/31