This High severity DOM-based XSS vulnerability known as CVE-2025-66021 was introduced in versions 10.2.9, 11.0.7, 12.0.1, and 12.1.0 of Bamboo Data Center and Server.

This DOM-based XSS vulnerability, with a CVSS Score of 8.6 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser.

Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

• Bamboo Data Center and Server 10.2: Upgrade to a release greater than or equal to 10.2.14

• Bamboo Data Center and Server 12.1: Upgrade to a release greater than or equal to 12.1.2

See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives).

The National Vulnerability Database provides the following description for this vulnerability:

OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. At time of publication no known patch is available.

This vulnerability was internally discovered using an automated Software Composition Analysis scanner.