-
Bug
-
Resolution: Invalid
-
Normal
-
None
-
None
-
None
-
Village
Just want to help out i do professional IT security web dev, etc. I noticed this site is running old jquery. I have seen this issue many times on MANY sites. Sometimes upgrading to the latest jQ may break some neat features but its well worth it. You can find references to the issues based on the CVE #. Also, view any part of this webpage (not just jira) and goto inspect/console. Try to issue:
$.ajax("https://www.msn.com/robots.txt");
I have no permission to check anything further w/o your approval but if you look the the user list on your Jira here. many people are trying to hack / XSS this site. if this was my site, i would not let anyone just sign up for jira.
If you want further help id love to..
dj substance
substance@9x.network
| jquery | 2.2.4 | Found in https://tickets.metabrainz.org/s/0da634c1d8b735b75781a7fdb5ffda44-CDN/-6qeasv/820002/1ojahc1/c95955c3a0b2b5bb35a047ca6970ceb9/_/download/contextbatch/js/_super/batch.js?locale=en-US _____Vulnerability info: |
| Medium | 2432 3rd party CORS request may execute CVE-2015-9251 | 1 2 3 4 |
| Medium | CVE-2015-9251 11974 parseHTML() executes scripts in event handlers | 1 2 3 |
| Medium | CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution | 1 2 3 |
| Medium | CVE-2020-11022 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS | 1 |
| Medium | CVE-2020-11023 Regex in its jQuery.htmlPrefilter sometimes may introduce XS | |