[%22Vendor] Stored XSS on /rest/jpo/1.0/hierarchyConfiguration via issueTypes parameter - CVE-2021-43945 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low
Fix Version/s: 8.21.0, 8.20.3
Affects Version/s: 8.20.3
Component/s: None
Labels:

CVSS Score:
5.9
CVSS Severity:
Medium
CVE ID:
CVE-2021-43945

Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint.

The affected versions are before version 8.20.3.

Affected versions:

version < 8.20.3

Fixed versions:

8.20.3
8.21.0

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load

Form Name

Mandeep Jadon made changes - 21/Feb/2023 3:40 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 733363 ]

Cathy S made changes - 24/May/2022 12:57 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 645847 ]

Nobuyuki Mukai made changes - 08/Mar/2022 1:57 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 626340 ]

Security Metrics Bot made changes - 06/Mar/2022 8:28 PM

CVE ID

New: CVE-2021-43945

AB made changes - 28/Feb/2022 12:17 AM

Resolution		New: Fixed [ 1 ]
Security	Original: Atlassian Staff [ 10750 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

AB made changes - 28/Feb/2022 12:15 AM

Summary

Original: Stored XSS on /rest/jpo/1.0/hierarchyConfiguration via issueTypes parameter - CVE registration for this issue is already in progress

New: Stored XSS on /rest/jpo/1.0/hierarchyConfiguration via issueTypes parameter - CVE-2021-43945

AB made changes - 24/Feb/2022 4:57 AM

Description

Original: Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint.

The affected versions are before version 8.20.3.

*Affected versions:*

* version < 8.20.3

*Fixed versions:*

* 8.20.3
* 8.21.0

New: Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint.

The affected versions are before version 8.20.3.

*Affected versions:*
* version < 8.20.3

*Fixed versions:*
* 8.20.3
* 8.21.0

AB made changes - 31/Dec/2021 4:05 AM

Description

Original: Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint.

The affected versions are before version 8.20.3.

*Affected versions:*

* version < 8.20.3

*Fixed versions:*

* 8.20.3
* 8.21.0

New: Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint.

The affected versions are before version 8.20.3.

*Affected versions:*

* version < 8.20.3

*Fixed versions:*

* 8.20.3
* 8.21.0

AB added a comment - 31/Dec/2021 2:46 AM - edited

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 5.9 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	High
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	Low

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

AB added a comment - 31/Dec/2021 2:46 AM - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 5.9 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required High User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability Low https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

AB made changes - 31/Dec/2021 2:46 AM

Summary

Original: Stored XSS on /rest/jpo/1.0/hierarchyConfiguration via issueTypes parameter

New: Stored XSS on /rest/jpo/1.0/hierarchyConfiguration via issueTypes parameter - CVE registration for this issue is already in progress

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 30/Nov/2021 6:48 PM

Updated:: 21/Feb/2023 3:40 PM

Resolved:: 28/Feb/2022 12:17 AM

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-73069] Stored XSS on /rest/jpo/1.0/hierarchyConfiguration via issueTypes parameter - CVE-2021-43945

Collapse comment: AB added a comment - 31/Dec/2021 2:46 AM, Edited by Security Metrics Bot - 02/Jan/2022 8:28 PM

Expand comment: AB added a comment - 31/Dec/2021 2:46 AM, Edited by Security Metrics Bot - 02/Jan/2022 8:28 PM

People

Dates