CVE-2018-13403 in JIRA
Summary
by MITRE
The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a saved filter when displayed on a Jira dashboard.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/10/2020
The vulnerability identified as CVE-2018-13403 represents a critical cross site scripting flaw within Atlassian Jira's two-dimensional filter statistics gadget functionality. This security weakness affects multiple version ranges including Jira versions prior to 7.6.10, versions 7.7.0 through 7.12.3, and versions 7.13.0 through 7.13.0, making it a widespread concern for organizations utilizing these software versions. The vulnerability stems from insufficient input validation and output encoding mechanisms within the filter name handling process, specifically when these saved filters are rendered on Jira dashboards.
The technical implementation of this XSS vulnerability occurs through the improper sanitization of user-supplied input within the filter name parameter. When administrators or users create saved filters with maliciously crafted names containing HTML or JavaScript code, the application fails to adequately sanitize this input before displaying it within the gadget interface. This failure allows attackers to inject arbitrary script code that executes in the context of other users' browsers when they view the affected dashboard. The vulnerability specifically impacts the two-dimensional filter statistics gadget, which is commonly used for data visualization and reporting purposes within Jira's dashboard environment.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform a range of malicious activities including session hijacking, credential theft, and data exfiltration. Attackers can leverage this vulnerability to steal authentication tokens, access sensitive project information, modify filter configurations, or even escalate privileges within the Jira environment. The attack vector is particularly concerning because it requires minimal user interaction beyond viewing the affected dashboard, making it an effective method for passive exploitation. The vulnerability can be exploited by unauthenticated attackers who simply need to create a malicious filter name and ensure it appears on a dashboard that other users will view.
Organizations should prioritize immediate remediation by upgrading to Jira versions 7.6.10, 7.12.4, or 7.13.1 respectively, which contain the necessary patches addressing this XSS vulnerability. System administrators should also implement additional defensive measures including input validation at multiple layers, output encoding for all user-supplied content, and regular security scanning of dashboard configurations. The vulnerability aligns with CWE-79 which specifically addresses cross site scripting flaws, and can be mapped to ATT&CK technique T1213.002 for credential access through web application session hijacking. Security teams should monitor for suspicious filter creation activities and implement network-level controls to detect potential exploitation attempts, as the vulnerability can be exploited through both direct injection and social engineering approaches where attackers manipulate dashboard content through legitimate user accounts.