• Type: Bug
• Resolution: Fixed
• Priority: High (View bug fix roadmap)
• Fix Version/s: 7.6.1, 7.7.0
• Affects Version/s: 7.5.0
• Component/s: Jira Importers Plugin
• Labels:

  • CVE-2017-18097
  • advisory
  • advisory-released
  • bugbounty
  • cvss-high
  • security
  • sxss
  • xss

[JRASERVER-67076] XSS in the Trello board importer resource - CVE-2017-18097

Collapse comment: Priya Varghese added a comment - 18/Mar/2022 5:14 AM

Priya Varghese added a comment - 18/Mar/2022 5:14 AM

Hello,

Thank you so much for your comments on this issue. We value your feedback.
We’re doing further research on the usage of the Jira Import Tool (also known as Jira Importers Plug-in / CSV Import / Trello Import), and we’d like to invite you to take part in an upcoming customer research study.
 
What’s involved in the research: * We’ll schedule a 1-hour session at a time that’s convenient for you. The session will be conducted over video-conference, so you can participate from anywhere around the globe.

• During the research, we'll start with a general chat to get to know you, and then we’d like to hear about how you use the Jira Import Tool for your tasks, and any feedback you have about the tool.
• As a token of our appreciation, you'll receive an e-gift card worth $100 within 5 days of completing your session.

 
If you're interested in taking part, please contact me on pvarghese@atlassian.com to schedule a time that works for you.
If you have any other questions at all, feel free to reply to this message or email me directly on pvarghese@atlassian.com
We look forward to meeting you!
 
Cheers,
Priya Varghese
(Migrations Experience Design Team)

Expand comment: Priya Varghese added a comment - 18/Mar/2022 5:14 AM

Priya Varghese added a comment - 18/Mar/2022 5:14 AM Hello, Thank you so much for your comments on this issue. We value your feedback. We’re doing further research on the usage of the Jira Import Tool (also known as Jira Importers Plug-in / CSV Import / Trello Import), and we’d like to invite you to take part in an upcoming customer research study.   What’s involved in the research: * We’ll schedule a 1-hour session at a time that’s convenient for you. The session will be conducted over video-conference, so you can participate from anywhere around the globe. During the research, we'll start with a general chat to get to know you, and then we’d like to hear about how you use the Jira Import Tool for your tasks, and any feedback you have about the tool. As a token of our appreciation, you'll receive an e-gift card worth $100 within 5 days of completing your session.   If you're interested in taking part, please contact me on  pvarghese@atlassian.com  to schedule a time that works for you. If you have any other questions at all, feel free to reply to this message or email me directly on  pvarghese@atlassian.com We look forward to meeting you!   Cheers, Priya Varghese (Migrations Experience Design Team)

Collapse comment: Security Metrics Bot added a comment - 05/Apr/2018 4:08 AM

Security Metrics Bot added a comment - 05/Apr/2018 4:08 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 7.7 => High severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	High
Privileges Required	Low
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	High
Integrity	High
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Note: This XSS has scored a High because the attack only targets administrative Jira users, and so the risk is higher (as well as the difficulty of convincing an admin to import a Trello board for you, hence attack complexity high here).

Expand comment: Security Metrics Bot added a comment - 05/Apr/2018 4:08 AM

Security Metrics Bot added a comment - 05/Apr/2018 4:08 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.7 => High severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required Low User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N Note: This XSS has scored a High because the attack only targets administrative Jira users, and so the risk is higher (as well as the difficulty of convincing an admin to import a Trello board for you, hence attack complexity high here).