The quick search component in Atlassian Jira Server and Data Center allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability.

      Affected versions:

      • version < 8.9.1

      Fixed versions:

      • 8.9.1
      • 8.10.0

            [JRASERVER-71205] XSS in Navigation - Search - CVE-2020-14169

            JHC added a comment -

            Our internal Security groups are certainly interested in getting this fixed as well.

            JHC added a comment - Our internal Security groups are certainly interested in getting this fixed as well.

            Here to also comment that this needs to be back ported to 8.5 Long Term Support means just that.  Support until end of life.

            Kimberly Deal added a comment - Here to also comment that this needs to be back ported to 8.5 Long Term Support means just that.  Support until end of life.

            Jim Walsh added a comment -

            I agree with the above comment questioning the Low priority/minor severity.  With just the context that privileges are not required to exploit this vulnerability, we need more information from Atlassian support as to the true risk of exposure. 

            Please clarify if the attacker needs to be authenticated first.  If authentication is not required, I would ask that this issue be raised to a level worthy of back porting to 8.5.

            Jim Walsh added a comment - I agree with the above comment questioning the Low priority/minor severity.  With just the context that privileges are not required to exploit this vulnerability, we need more information from Atlassian support as to the true risk of exposure.  Please clarify if the attacker needs to be authenticated first.  If authentication is not required, I would ask that this issue be raised to a level worthy of back porting to 8.5.

            Not only is this closed prematurely, insofar as LTS, i.e. the LONG TERM SUPPORT version, does not yet have the fix, but since when is a Cross-Site Scripting (XSS) vulnerability low priority??

            Brad Taplin added a comment - Not only is this closed prematurely, insofar as LTS, i.e. the LONG TERM SUPPORT version, does not yet have the fix, but since when is a Cross-Site Scripting (XSS) vulnerability low priority??

            Jim Walsh added a comment -

            Please confirm a patch is coming for 8.5.x.  If there is no patch coming, please provide possible workaround steps.

            Jim Walsh added a comment - Please confirm a patch is coming for 8.5.x.  If there is no patch coming, please provide possible workaround steps.

            Hello. I understand that per https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html Jira 8.9.x and 8.10.x are not LTS releases. When will this resolution be backported to Jira 8.5.x please?

            Brad Taplin added a comment - Hello. I understand that per  https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html Jira 8.9.x and 8.10.x are not LTS releases. When will this resolution be backported to Jira 8.5.x please?

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              16 Start watching this issue

                Created:
                Updated:
                Resolved: