Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

DOM-based Cross Site Scripting Vulnerability- backbone-1.0.0.js

Janaki Lenagala
Janaki Lenagala January 18, 2022

We are using below versions of JIRA. 

  1. Jira Server - 8.21
  2. Jira service management - 4.21.0
  3. Adaptavist ScriptRunner - 6.41.0
  4. JEMH -3.3.71
  5. JSU Automation Suite -2.32
  6. Atlassian Universal Plugin Manager - 5.1.2

 

And we are getting below vulnerable issue when we do the VA scan.  Anyone know how to solve this issue and which plugin has this js file?

siteurl/c277de0b4cdbabf116059d3b0bf2ca75-CDN/-h2lxxw/821000/1vdrktf/d2e244e05c844200cbfd78d4cbb94e58/_/download/contextbatch/js/_super/factories/backbone/1.0.0/backbone-1.0.0-factory.js)
* Line 33:Unsafe client output calling this.location.replace() with tainted arg

* Line 33:String concatenation with user-controlled value

* Line 33:String concatenation with user-controlled value

* Line 33:String concatenation with user-controlled value

* Line 33:"this.location.search" is controlled by the user

Answer
Watch
Like Be the first to like this
817 views

1 answer

0 votes
Vishwas
Vishwas
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 18, 2022

Hey @Janaki Lenagala 

Are you using any external tool to do this VA Scan ? 

If there is any vulnerabilities found the best way to check this up is get in direct contact with Atlassian Support Team, they can review those and suggest you on remediation.

Create a ticket here https://support.atlassian.com/contact/#/

Regards,

Vishwas

View More Comments
Janaki Lenagala
Janaki Lenagala January 19, 2022

VA scan is done by third party. I am not sure what tool that they are using. 

I already raised a ticket with Atlassian team. But they are saying that it is not a native file from JIRA.

Like
Vishwas
Vishwas
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 19, 2022

Got it, as you suspected it might be from some add-on. I see you have listed few add-ons, is that the list are do you have any others ?

Ask Atlassian team a question, if they can help identify which add-ons is causing this. Based on that you can directly get in touch with the vendor.

Like
Janaki Lenagala
Janaki Lenagala January 30, 2022

Hi Vishva,

 

That backbone-1.0.0 file is in the jslibs-3.0.0. jar file of JIRA. 

Like
Vishwas
Vishwas
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 30, 2022

Hey @Janaki Lenagala 

can you just find out the exact path the file and paste it here, so that i can figure out from which plugin it is coming from. I would better suggest ask atlassian team on the ticket to tell what is this since they mentioned it was not native jira file rite?

Regards,

Vishwas

Like
Alex.Aleksandrov
Alex.Aleksandrov
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
April 25, 2022

Hi @Janaki Lenagala, our scan reports the same vuln and I believe its caused by a plugin. Then I came across this blog. Were you able to remediate this?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.