-
Public Security Vulnerability
-
Resolution: Fixed
-
Low (View bug fix roadmap)
-
8.5.0, 8.13.0
-
None
-
4.8
-
Medium
-
CVE-2020-36234
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view.
The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
Affected versions:
- version < 8.5.11
- 8.6.0 ≤ version < 8.13.3
- 8.14.0 ≤ version < 8.15.0
Fixed versions:
- 8.5.11
- 8.13.3
- 8.15.0
[JRASERVER-72059] Stored XSS via Custom Fields on Screens Modal - CVE-2020-36234
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.8 => Medium severity
Exploitability Metrics
| Attack Vector | Network |
|---|---|
| Attack Complexity | Low |
| Privileges Required | High |
| User Interaction | Required |
Scope Metric
| Scope | Changed |
|---|
Impact Metrics
| Confidentiality | Low |
|---|---|
| Integrity | Low |
| Availability | None |
https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
8.15.0 upgrade has fixed XSS issue at view screen page but introduced XSS issue at in Associate field to screen page, which is again vulnerable.
Below XSS issue reproduced on 8.15.0 version in Associate field to screen page which was not present in previous 8.14.0 version