• Type: Bug
• Resolution: Fixed
• Priority: Low (View bug fix roadmap)
• Fix Version/s: 8.9.0, 8.8.2, 8.5.9
• Affects Version/s: 8.5.1, 8.5.3
• Component/s: Issue - Fields
• Labels:

  • CVE-2020-14164
  • advisory
  • advisory-released
  • cvss-medium
  • security
  • xss

[JRASERVER-71184] XSS in WYSIWYG editor via pasted code - CVE-2020-14164

Mark Lang made changes - 13/Oct/2020 1:45 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 509303 ]

AB made changes - 06/Oct/2020 11:00 PM

Description

Original: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the WYSIWYG editor. *Affected versions:*  * version < 8.8.2 *Fixed versions:*  * 8.8.2  * 8.9.0

New: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the WYSIWYG editor. The affected versions are before 8.5.9, and from version 8.6.0 before 8.8.2.   *_Affected versions:_*  * version < 8.5.9  * 8.6.0 ≤ version < 8.8.2 *_Fixed versions:_*  * 8.5.9  * 8.8.2  * 8.9.0

Collapse comment: AB added a comment - 06/Oct/2020 10:59 PM, Edited by AB - 06/Oct/2020 10:59 PM

AB added a comment - 06/Oct/2020 10:59 PM - edited

Hi, this is now fixed in 8.5 Enterprise LTS, in version 8.5.9.

Expand comment: AB added a comment - 06/Oct/2020 10:59 PM, Edited by AB - 06/Oct/2020 10:59 PM

AB added a comment - 06/Oct/2020 10:59 PM - edited Hi, this is now fixed in 8.5 Enterprise LTS, in version 8.5.9.

AB made changes - 06/Oct/2020 10:58 PM

Summary

Original: XSS in Issue - Fields - CVE-2020-14164

New: XSS in WYSIWYG editor via pasted code - CVE-2020-14164

AB made changes - 06/Oct/2020 10:58 PM

Description

Original: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in WYSIWYG editor. *Affected versions:*  * version < 8.8.2 *Fixed versions:*  * 8.8.2  * 8.9.0

New: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the WYSIWYG editor. *Affected versions:*  * version < 8.8.2 *Fixed versions:*  * 8.8.2  * 8.9.0

Collapse comment: James M added a comment - 24/Sep/2020 6:00 PM

James M added a comment - 24/Sep/2020 6:00 PM

Is this fixed on 8.5 Enterprise LTS?

Expand comment: James M added a comment - 24/Sep/2020 6:00 PM

James M added a comment - 24/Sep/2020 6:00 PM Is this fixed on 8.5 Enterprise LTS?

set-jac-bot made changes - 16/Sep/2020 11:09 AM

Fixed in Long Term Support Release/s

New: [Download 8.5|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]

AB made changes - 16/Sep/2020 4:39 AM

Fix Version/s

New: 8.5.9 [ 92910 ]

Collapse comment: Nancy Orlowski added a comment - 09/Sep/2020 3:01 PM

Nancy Orlowski added a comment - 09/Sep/2020 3:01 PM

We would also like to know the fix version for 8.5? Enterprise. 

Expand comment: Nancy Orlowski added a comment - 09/Sep/2020 3:01 PM

Nancy Orlowski added a comment - 09/Sep/2020 3:01 PM We would also like to know the fix version for 8.5? Enterprise. 

Collapse comment: Kimberly Deal added a comment - 27/Aug/2020 7:51 PM

Kimberly Deal added a comment - 27/Aug/2020 7:51 PM

What will the fix version for 8.5 be for this?  I see that it was introduced in 8.5.  We need supported fixes for the Enterprise Release Versions

Expand comment: Kimberly Deal added a comment - 27/Aug/2020 7:51 PM

Kimberly Deal added a comment - 27/Aug/2020 7:51 PM What will the fix version for 8.5 be for this?  I see that it was introduced in 8.5.  We need supported fixes for the Enterprise Release Versions

Load more older events