• Type: Bug
• Resolution: Fixed
• Priority: Low (View bug fix roadmap)
• Fix Version/s: 8.5.4, 8.8.0, 8.7.1
• Affects Version/s: 7.6.0, 7.13.0, 7.6.15, 8.5.1, 7.13.12, 8.7.0, 8.6.1, 8.5.3
• Component/s: REST API
• Labels:

  • CVE-2020-14173
  • advisory
  • advisory-released
  • bugbounty
  • cvss-high
  • security
  • sxss
  • xss

[JRASERVER-70814] Stored XSS via malicious file upload - CVE-2020-14173

David Black made changes - 19/Nov/2020 4:59 AM

Labels

Original: CVE-2020-14173 advisory advisory-to-release bugbounty cvss-high security sxss xss

New: CVE-2020-14173 advisory advisory-released bugbounty cvss-high security sxss xss

Collapse comment: Tobias added a comment - 14/Sep/2020 11:42 AM

Tobias added a comment - 14/Sep/2020 11:42 AM

Will there be a fix for LTS versions above 8.5.4?

Expand comment: Tobias added a comment - 14/Sep/2020 11:42 AM

Tobias added a comment - 14/Sep/2020 11:42 AM Will there be a fix for LTS versions above 8.5.4?

Dave (Inactive) made changes - 20/Aug/2020 11:54 PM

Description

Original: The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. *Affected versions*  * version < 8.5.4  * 8.6.0 ≤ version < 8.7.0  * 8.7.0 ≤ version < 8.7.1 *Fixed versions*  * 8.5.4  * 8.7.1  * 8.8.0

New: The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. *Affected versions*  * version < 8.5.4  * 8.6.0 ≤ version ≤ 8.7.0  * 8.7.0 ≤ version < 8.7.1 *Fixed versions*  * 8.5.4  * 8.7.1  * 8.8.0

Dave (Inactive) made changes - 20/Aug/2020 11:53 PM

Description

Original: The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. *Affected versions*  * version < 8.5.4  * 8.6.0 ≤ version < 8.6.2  * 8.7.0 ≤ version < 8.7.1 *Fixed versions*  * 8.5.4  * 8.6.2  * 8.7.1  * 8.8.0

New: The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. *Affected versions*  * version < 8.5.4  * 8.6.0 ≤ version < 8.7.0  * 8.7.0 ≤ version < 8.7.1 *Fixed versions*  * 8.5.4  * 8.7.1  * 8.8.0

Dave (Inactive) made changes - 20/Aug/2020 11:52 PM

Fix Version/s

Original: 8.6.2 [ 91193 ]

AB made changes - 03/Jul/2020 1:50 AM

Summary

Original: Stored XSS via malicious file upload

New: Stored XSS via malicious file upload - CVE-2020-14173

AB made changes - 03/Jul/2020 1:50 AM

Labels

Original: advisory advisory-to-release bugbounty cve-in-progress cvss-high security sxss xss

New: CVE-2020-14173 advisory advisory-to-release bugbounty cvss-high security sxss xss

AB made changes - 02/Jul/2020 4:00 AM

Labels

Original: advisory advisory-to-release bugbounty cvss-high security sxss xss

New: advisory advisory-to-release bugbounty cve-in-progress cvss-high security sxss xss

Collapse comment: trtherrien added a comment - 15/Jun/2020 2:49 PM

trtherrien added a comment - 15/Jun/2020 2:49 PM

Does version 7.13.13 require an update and would we have to go all the way to 8.5.4?

Expand comment: trtherrien added a comment - 15/Jun/2020 2:49 PM

trtherrien added a comment - 15/Jun/2020 2:49 PM Does version 7.13.13 require an update and would we have to go all the way to 8.5.4?

Mahtab made changes - 12/Jun/2020 8:52 PM

Affects Version/s

New: 8.5.1 [ 89499 ]

Load more older events