Security researchers have discovered a critical vulnerability in a widely used collaboration tool within the Atlassian ecosystem, known for project tracking and task management. The flaw, identified by Snapsec, involves a Stored Cross-Site Scripting (XSS) vulnerability in Jira Work Management.
Exploiting Jira’s Configuration Settings
The vulnerability arises from the ability to exploit a seemingly low-risk configuration field. Researchers demonstrated how a user with limited privileges could leverage this flaw to potentially take over an entire organization.
Within Jira, workflows are managed using ‘issues’ that come with customizable data fields, such as priority levels. Administrators have the option to tailor these priorities to fit their organizational needs.
During their analysis, the researchers found that users with specific administrative permissions could create a custom priority and alter its ‘icon URL’ property. The backend system did not properly validate inputs or encode outputs for this URL field, allowing for the insertion of malicious payloads.
Impact of Stored XSS on Administrators
The danger of stored XSS lies in its ability to execute harmful scripts in a user’s browser when a compromised page is viewed, without requiring any link to be clicked. Snapsec’s challenge was to manipulate this authenticated XSS to target higher-level administrators.
By examining Jira’s user management roles, the team pinpointed the ‘Product Admin’ role as capable of creating custom priorities. Although these admins might have limited access to internal applications like Confluence, they can still perform critical administrative actions, such as editing issue priorities.
Executing the Organizational Takeover
To execute an attack, a compromised Product Admin would navigate to the Jira issue settings and add a new custom priority, embedding a malicious script within the icon URL. When a higher-privileged user, such as a Super Admin, visits the page, the payload executes silently in their browser.
This script prompts the Super Admin’s session to send an automated request, inviting an attacker-controlled account into the organization. Consequently, the attacker gains full access to various Atlassian products, enabling them to manipulate or delete projects across the environment.
This vulnerability underscores the importance of rigorous input validation in SaaS security. Even established platforms can contain high-risk vulnerabilities if input validation is neglected in internal settings. Organizations should enforce strict validation on customizable fields to secure admin workflows.
