Snapsec's security researchers found a serious Stored Cross-Site Scripting (XSS) flaw in the Jira platform This article explores snapsec security researchers. . The team showed how a low-privileged user could take over an entire organization by taking advantage of a configuration field that seemed to be low-risk.
This flaw shows us an important lesson about how to keep Software-as-a-Service (SaaS) secure in the modern world. Even well-established platforms can have serious security holes if input validation is not used in internal configuration panels. Snapsec says that organizations need to make sure that customizable fields are strictly validated to keep all admin workflows safe. Contact us to have your stories published.
Follow us on LinkedIn and X for daily updates on cybersecurity. Back to the Mail Online home page. Back to the page you were on. The article first came out on November 14, 2013.
The article was first published on December 7, 2013 at 9:30 a.m. local time (12:30 p.m. ET) and was last updated with the most recent information from Snapsec on November 16, 2014 at 10:00 a.m.M ET (13:00 p.k. ET) This article has been changed to show that Snapsec has confirmed that the problem has been fixed.
We are happy to say that the attack was done by someone with the role of "Product Admin" instead of "Super Admin." A group of security researchers found the flaw. It was found that Jira has default priority levels, but administrators can change the priorities and what they mean to meet the needs of their organization.
A Product Admin may not be able to directly access internal Jira apps like Service Management or Confluence. But they can still do basic administrative tasks, like changing the priorities of issues. To carry out the attack, a hacked or bad Product Admin goes to the settings for Jira issues and adds a new custom priority.
They put a specific payload into the icon URL, like https://google.com?name=