Stored XSS in Add Field module - CVE-2019-20900

XMLWordPrintable

    • 8.02
    • Severity 3 - Minor
    • Hide

       

      Atlassian Update – 01 February 2021

       
      Hi,

      We’ve analyzed this issue and released a fix for it in Jira 8.7 and later, including the Jira 8.13 LTS release. The risk of exploiting this vulnerability is low, as it can only be exploited by someone with admin credentials.

      We’re not planning to backport the fix to Jira 8.5 LTS, as it might break your current field descriptions that contain HTML, which we don’t want to do in a bugfix release. You can, however, implement the same fix manually by changing one of the Jira settings.

      To fix this manually,

      1. In Jira, go to Administration > General Configuration, and select Edit Settings.
      2. Set the Enable HTML in field descriptions and list values setting to OFF. After disabling this setting, you will also need to update the field descriptions that contain HTML, and remove the markup. This is the breaking behavior we’ve mentioned above.

      We also advise to upgrade to the latest Jira 8.13 LTS release.

       

      Thank you,

      Jira Server and Data Center Team

      Show
        Atlassian Update – 01 February 2021   Hi, We’ve analyzed this issue and released a fix for it in Jira 8.7 and later, including the Jira 8.13 LTS release. The risk of exploiting this vulnerability is low, as it can only be exploited by someone with admin credentials. We’re not planning to backport the fix to Jira 8.5 LTS, as it might break your current field descriptions that contain HTML, which we don’t want to do in a bugfix release. You can, however, implement the same fix manually by changing one of the Jira settings. To fix this manually, In Jira, go to Administration > General Configuration , and select Edit Settings . Set the Enable HTML in field descriptions and list values setting to OFF. After disabling this setting, you will also need to update the field descriptions that contain HTML, and remove the markup. This is the breaking behavior we’ve mentioned above. We also advise to upgrade to the latest Jira 8.13 LTS release.   Thank you, Jira Server and Data Center Team

      Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module.

      Affected versions:

      • version < 8.7.0

      Fixed versions:

      • 8.7.0

            Assignee:
            Unassigned
            Reporter:
            Security Metrics Bot
            Votes:
            0 Vote for this issue
            Watchers:
            13 Start watching this issue

              Created:
              Updated:
              Resolved: