[JRASERVER-71113] XSS in Issue - Attachments - CVE-2020-4024 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.5.5, 8.8.2, 8.10.0, 8.9.1
Affects Version/s: 8.7.1
Component/s: Issue - Attachments
Labels:
- CVE-2020-4024
- advisory
- advisory-released
- bugbounty
- cvss-high
- security
- xss

Fixed in Long Term Support Release/s:

Download 8.5
Introduced in Version:
8.07
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type.

Affected versions:

version < 8.5.5
8.6.0 ≤ version < 8.8.2
8.9.0 ≤ version < 8.9.1

Fixed versions:

8.5.5
8.8.2
8.9.1
8.10.0

mentioned in: Page Failed to load; Page Failed to load

Security Metrics Bot added a comment - 29/May/2020 5:18 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 7.1 => High severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	High
Privileges Required	Low
User Interaction	Required

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Security Metrics Bot added a comment - 29/May/2020 5:18 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.1 => High severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required Low User Interaction Required Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 29/May/2020 5:18 AM

Updated:: 08/Mar/2021 3:42 PM

Resolved:: 29/May/2020 6:04 AM

Jira Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-71113] XSS in Issue - Attachments - CVE-2020-4024

Collapse comment: Security Metrics Bot added a comment - 29/May/2020 5:18 AM

Expand comment: Security Metrics Bot added a comment - 29/May/2020 5:18 AM

People

Dates