At the current moment, JIRA do not have any restrictions for attachment files, which allows users to upload malicious file into JIRA issues. This can be a problem when we open an attachments using Mozilla Firefox, since the browser allows us to open attachments using web browser. The steps to reproduce the problem is as below:

• Access JIRA using Firefox
• A sample HTML file containing malicious script is uploaded in JIRA

  <script>alert("This is XSS");</script>
  

  

• Open the file with FireFox
  
• The script is running inside the browser