[JRASERVER-67076] XSS in the Trello board importer resource - CVE-2017-18097 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: High (View bug fix roadmap)
Fix Version/s: 7.6.1, 7.7.0
Affects Version/s: 7.5.0
Component/s: Jira Importers Plugin
Labels:
- CVE-2017-18097
- advisory
- advisory-released
- bugbounty
- cvss-high
- security
- sxss
- xss

Fixed in Long Term Support Release/s:

Download 7.6
Introduced in Version:
7.05
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The Trello board importer resource in Atlassian Jira before version 7.6.1 and before version 7.7.0 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card.

Priya Varghese added a comment - 18/Mar/2022 5:14 AM

Hello,

Thank you so much for your comments on this issue. We value your feedback.
We’re doing further research on the usage of the Jira Import Tool (also known as Jira Importers Plug-in / CSV Import / Trello Import), and we’d like to invite you to take part in an upcoming customer research study.

What’s involved in the research: * We’ll schedule a 1-hour session at a time that’s convenient for you. The session will be conducted over video-conference, so you can participate from anywhere around the globe.

During the research, we'll start with a general chat to get to know you, and then we’d like to hear about how you use the Jira Import Tool for your tasks, and any feedback you have about the tool.
As a token of our appreciation, you'll receive an e-gift card worth $100 within 5 days of completing your session.

If you're interested in taking part, please contact me on pvarghese@atlassian.com to schedule a time that works for you.
If you have any other questions at all, feel free to reply to this message or email me directly on pvarghese@atlassian.com
We look forward to meeting you!

Cheers,
Priya Varghese
(Migrations Experience Design Team)

Priya Varghese added a comment - 18/Mar/2022 5:14 AM Hello, Thank you so much for your comments on this issue. We value your feedback. We’re doing further research on the usage of the Jira Import Tool (also known as Jira Importers Plug-in / CSV Import / Trello Import), and we’d like to invite you to take part in an upcoming customer research study. What’s involved in the research: * We’ll schedule a 1-hour session at a time that’s convenient for you. The session will be conducted over video-conference, so you can participate from anywhere around the globe. During the research, we'll start with a general chat to get to know you, and then we’d like to hear about how you use the Jira Import Tool for your tasks, and any feedback you have about the tool. As a token of our appreciation, you'll receive an e-gift card worth $100 within 5 days of completing your session. If you're interested in taking part, please contact me on pvarghese@atlassian.com to schedule a time that works for you. If you have any other questions at all, feel free to reply to this message or email me directly on pvarghese@atlassian.com We look forward to meeting you! Cheers, Priya Varghese (Migrations Experience Design Team)

set-jac-bot made changes - 22/May/2020 8:27 AM

Fixed in Enterprise Release/s

New: [Download 7.6|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]

Bugfix Automation Bot made changes - 28/Mar/2019 12:24 AM

Minimum Version

New: 7.05

Owen made changes - 15/Jan/2019 5:45 AM

Component/s		New: Jira Importers Plugin [ 44190 ]
Component/s	Original: Backup & Restore - Import from Trello [ 44293 ]

Owen made changes - 16/Oct/2018 12:38 AM

Workflow	Original: JAC Bug Workflow v2 [ 2830053 ]	New: JAC Bug Workflow v3 [ 2911692 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 25/Sep/2018 4:17 AM

Symptom Severity

Original: Major [ 14431 ]

New: Severity 2 - Major [ 15831 ]

Owen made changes - 25/Sep/2018 12:26 AM

Workflow	Original: JIRA Bug Workflow w Kanban v7 - Restricted [ 2653628 ]	New: JAC Bug Workflow v2 [ 2830053 ]
Status	Original: Closed [ 6 ]	New: Resolved [ 5 ]

David Black made changes - 05/Apr/2018 4:22 AM

Description

Original: The Trello board importer resource in Atlassian Jira Server before version 7.6.1 and before version 7.7.0 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card.

New: The Trello board importer resource in Atlassian Jira before version 7.6.1 and before version 7.7.0 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card.

David Black made changes - 05/Apr/2018 4:19 AM

Labels

Original: CVE-2017-18097 advisory advisory-to-release bugbounty cvss-high security sxss xss

New: CVE-2017-18097 advisory advisory-released bugbounty cvss-high security sxss xss

David Black made changes - 05/Apr/2018 4:18 AM

Security

Original: Atlassian Staff [ 10750 ]

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 05/Apr/2018 4:08 AM

Updated:: 18/Mar/2022 5:14 AM

Resolved:: 05/Apr/2018 4:10 AM

Jira Data Center

Details

Description

Attachments

Forms

Activity

[JRASERVER-67076] XSS in the Trello board importer resource - CVE-2017-18097

Collapse comment: Priya Varghese added a comment - 18/Mar/2022 5:14 AM

Expand comment: Priya Varghese added a comment - 18/Mar/2022 5:14 AM

People

Dates