WEB-1023

bugs.mojang.com is vulnerable to SSRF

bugs.mojang.com is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2017-9506

Combining that SSRF vulnerability with an XSS payload it is possible to execute JavaScript in the context of bugs.mojang.com

for example: https://bugs.mojang.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://oliverhough.cloud/x.html

I would advise that you update Jira

Status:Fixed

Reporter:Oliver Hough

Assignee:[Mojang] Web Team

Created:2018-04-24, 01:53 PM

Updated:2018-05-11, 01:43 PM

Resolved:2018-05-11, 12:08 PM

Votes:2

Watchers:3

Labels: