We have identified vulnerabilities in JIRA which will allow an attacker to invoke XSS (Cross Site Scripting) attacks in JIRA. Some attacks possible with these vulnerabilities include:
- An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to the attacker's own web server.
- An attacker's text and script might be displayed to other people viewing the JIRA page.
We recommend that you apply the attached patch immediately to address these vulnerabilities.
The Instructions to apply the patch is contained within the Readme file as part of the attached zip. Please download the appropriate patch for your version of JIRA (these patches have only been tested on the point releases specified in the zip filename). If you are not on the point release that the patch is created for, it is recommended that you first upgrade to the latest point release for your version of JIRA before applying the patch.
Alternatively, if you are not in a position to undertake this immediately and you judge it necessary, you could disable public access to JIRA (for example, by removing appropriate global or project-specific 'Anyone' permissions) and change JIRA's mode to disable public signup) until you have either applied the necessary patches. For even tighter control, you could restrict access to trusted groups.
If you are applying this patch, we also recommend you apply the patch for