• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: Low (View bug fix roadmap)
• Fix Version/s: 8.5.18, 8.13.10, 8.18.2, 8.19.0
• Affects Version/s: 8.16.1, 8.5.17, 8.13.9, 8.18.1
• Component/s: None
• Labels:

  • advisory
  • advisory-released
  • dont-import
  • security

[JRASERVER-72716] Self-xss via copying content from a PDF - CVE-2021-39111

Mark Lang made changes - 17/Oct/2021 8:24 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 592027 ]

Adam G. made changes - 11/Oct/2021 10:09 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 590078 ]

Adam G. made changes - 27/Sep/2021 6:58 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 587815 ]

Security Metrics Bot made changes - 16/Sep/2021 5:27 AM

CVE ID

New: CVE-2021-39111

David Black made changes - 13/Sep/2021 5:57 AM

Labels

Original: advisory advisory-to-release dont-import security

New: advisory advisory-released dont-import security

David Black made changes - 05/Sep/2021 11:41 PM

Description

Original: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to trick users into injecting arbitrary HTML or JavaScript via a Self Cross-Site Scripting (XSS) vulnerability in the description fields of Jira issues. The affected versions are before version 8.5.18, from version 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2. **Affected versions:**  * version < 8.5.18  * 8.6.0 ≤ version < 8.13.10  * 8.14.0 ≤ version < 8.18.2 **Fixed versions:**  * 8.5.18  * 8.13.10  * 8.18.2  * 8.19.0

New: The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the handling of supplied content such as from a PDF when pasted into a field such as the description field. The affected versions are before version 8.5.18, from version 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2. **Affected versions:**  * version < 8.5.18  * 8.6.0 ≤ version < 8.13.10  * 8.14.0 ≤ version < 8.18.2 **Fixed versions:**  * 8.5.18  * 8.13.10  * 8.18.2  * 8.19.0

Brian Adeloye (Inactive) made changes - 02/Sep/2021 11:07 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 576579 ]

AB made changes - 30/Aug/2021 5:30 AM

Security

Original: Atlassian Staff [ 10750 ]

AB made changes - 30/Aug/2021 5:30 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

AB made changes - 30/Aug/2021 5:30 AM

Description

Original: This vulnerability affects certain versions of Atlassian Jira Server. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent.

New: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to trick users into injecting arbitrary HTML or JavaScript via a Self Cross-Site Scripting (XSS) vulnerability in the description fields of Jira issues. The affected versions are before version 8.5.18, from version 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2. **Affected versions:**  * version < 8.5.18  * 8.6.0 ≤ version < 8.13.10  * 8.14.0 ≤ version < 8.18.2 **Fixed versions:**  * 8.5.18  * 8.13.10  * 8.18.2  * 8.19.0

Load more older history items