...
| Info |
|---|
The following findings are specifically excluded: XSS and CSRF for the configuration fields. Universal Gadget for Jira relies on injection and dynamical interpretation of JavaScript. Therefore, when it comes to Universal Gadget, it is acceptable that JavaScript added to the gadget configuration is executed while this would be treated as a bug for the most apps. Please see the image. Testing privileges and REST services under admin accounts. Admins have rights to view, add, edit, and delete any data within their host Jira instance.
|
...
Last updated 30 Mar 2020 20:15:22 UTC
Technical severity | Reward |
|---|
P1 Critical | $1,500 |
P2 Severe | $900 |
P3 Moderate | $300 |
P4 Low | $100 |
P5 submissions do not receive any rewards for this program.
...