• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: Low (View bug fix roadmap)
• Fix Version/s: 8.5.14, 8.13.6, 8.16.1, 8.17.0
• Affects Version/s: 8.5.13, 8.13.5
• Component/s: None
• Labels:

  • CVE-2021-26078
  • advisory
  • advisory-released
  • dont-import
  • security

[JRASERVER-72392] Vulnerability in Search Template Leads to Reflected XSS JIRA Software Server - CVE-2021-26078

Collapse comment: Prerana Shenoy added a comment - 19/May/2021 9:04 PM

Prerana Shenoy added a comment - 19/May/2021 9:04 PM

Hey Oli, 

This security issue has been patched and rolled out in the `Fix Versions` mentioned in the ticket. 

The issue has been mitigated.

Thanks,

Prerana

Expand comment: Prerana Shenoy added a comment - 19/May/2021 9:04 PM

Prerana Shenoy added a comment - 19/May/2021 9:04 PM Hey Oli,  This security issue has been patched and rolled out in the `Fix Versions` mentioned in the ticket.  The issue has been mitigated. Thanks, Prerana

Collapse comment: CaptainHook added a comment - 14/May/2021 6:37 AM

CaptainHook added a comment - 14/May/2021 6:37 AM

Hey,

In your Bugbounty program on Bugcrowd

with this reference ID: 1286ca38c33de2fe058e9c357f5637778f85c1138853034796b14c3e636ba66d

Expand comment: CaptainHook added a comment - 14/May/2021 6:37 AM

CaptainHook added a comment - 14/May/2021 6:37 AM Hey, In your Bugbounty program on Bugcrowd with this reference ID: 1286ca38c33de2fe058e9c357f5637778f85c1138853034796b14c3e636ba66d

Collapse comment: Oliver Liebing added a comment - 12/May/2021 10:00 AM

Oliver Liebing added a comment - 12/May/2021 10:00 AM

Hi,
where can can I find detailed information about this possible security breach or how to check our system if it's relevant for us?

Regards,
Oli

Expand comment: Oliver Liebing added a comment - 12/May/2021 10:00 AM

Oliver Liebing added a comment - 12/May/2021 10:00 AM Hi, where can can I find detailed information about this possible security breach or how to check our system if it's relevant for us? Regards, Oli

Collapse comment: Prerana Shenoy added a comment - 10/May/2021 10:44 PM

Prerana Shenoy added a comment - 10/May/2021 10:44 PM

Yes, CVE-2021-26078 is now filed for this issue.

Expand comment: Prerana Shenoy added a comment - 10/May/2021 10:44 PM

Prerana Shenoy added a comment - 10/May/2021 10:44 PM Yes, CVE-2021-26078 is now filed for this issue.

Collapse comment: CaptainHook added a comment - 10/May/2021 10:24 AM

CaptainHook added a comment - 10/May/2021 10:24 AM

Hi Did you file **

• CVE-2021-26078 for this issue?

Expand comment: CaptainHook added a comment - 10/May/2021 10:24 AM

CaptainHook added a comment - 10/May/2021 10:24 AM Hi Did you file ** CVE-2021-26078 for this issue?

Collapse comment: CaptainHook added a comment - 07/May/2021 4:09 PM, Edited by CaptainHook - 07/May/2021 4:09 PM

CaptainHook added a comment - 07/May/2021 4:09 PM - edited

Hi b8165329c845 , thanks I will be waiting here.

Expand comment: CaptainHook added a comment - 07/May/2021 4:09 PM, Edited by CaptainHook - 07/May/2021 4:09 PM

CaptainHook added a comment - 07/May/2021 4:09 PM - edited Hi b8165329c845 , thanks I will be waiting here.

Collapse comment: Prerana Shenoy added a comment - 07/May/2021 4:03 PM

Prerana Shenoy added a comment - 07/May/2021 4:03 PM

Hi 975e6b46bd8f, I will check if there is a CVE already and if not I can go ahead and file one. I will update you on what I end up doing.

Expand comment: Prerana Shenoy added a comment - 07/May/2021 4:03 PM

Prerana Shenoy added a comment - 07/May/2021 4:03 PM Hi 975e6b46bd8f , I will check if there is a CVE already and if not I can go ahead and file one. I will update you on what I end up doing.

Collapse comment: CaptainHook added a comment - 07/May/2021 2:07 PM

CaptainHook added a comment - 07/May/2021 2:07 PM

@b8165329c845 Would you please manage my request?

Expand comment: CaptainHook added a comment - 07/May/2021 2:07 PM

CaptainHook added a comment - 07/May/2021 2:07 PM @ b8165329c845 Would you please manage my request?

Collapse comment: CaptainHook added a comment - 07/May/2021 9:31 AM

CaptainHook added a comment - 07/May/2021 9:31 AM

Hi thanks for Resolving this issue

Is this issue qualify for CVE id or not

Expand comment: CaptainHook added a comment - 07/May/2021 9:31 AM

CaptainHook added a comment - 07/May/2021 9:31 AM Hi thanks for Resolving this issue Is this issue qualify for CVE id or not

Collapse comment: Prerana Shenoy added a comment - 06/May/2021 4:01 PM

Prerana Shenoy added a comment - 06/May/2021 4:01 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 4.7 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	High
Privileges Required	None
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	None

See http://go.atlassian.com/cvss for more details.

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Expand comment: Prerana Shenoy added a comment - 06/May/2021 4:01 PM

Prerana Shenoy added a comment - 06/May/2021 4:01 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.7 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required None User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None See http://go.atlassian.com/cvss for more details. https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N