[JSDSERVER-6895] XSS in API and Integrations - CVE-2020-14166 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 4.10.0
Affects Version/s: 4.7.1
Component/s: API and Integrations
Labels:
- CVE-2020-14166
- advisory
- advisory-released
- bugbounty
- cqt
- cvss-medium
- security
- xss

Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in API and Integrations.

Affected versions:

version < 4.10.0

Fixed versions:

4.10.0

Peter Sharar added a comment - 08/Apr/2021 3:38 AM

Does Atlassian Jira Service Desk Appliance version number and Atlassian Jira Service Desk Server version number match up, or, are separate version numbers specific to each the Appliance version and Server version?

Just need to know as I can not get Atlassian Jira Service Desk Server version, while Atlassian Service Desk Application version number is displayed.

Peter Sharar added a comment - 08/Apr/2021 3:38 AM Does Atlassian Jira Service Desk Appliance version number and Atlassian Jira Service Desk Server version number match up, or, are separate version numbers specific to each the Appliance version and Server version? Just need to know as I can not get Atlassian Jira Service Desk Server version, while Atlassian Service Desk Application version number is displayed.

Security Metrics Bot added a comment - 18/Jun/2020 2:45 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.8 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	High
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Security Metrics Bot added a comment - 18/Jun/2020 2:45 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.8 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required High User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 18/Jun/2020 2:45 AM

Updated:: 08/Apr/2021 3:38 AM

Resolved:: 18/Jun/2020 3:45 AM

Jira Service Management Data Center

Details

Description

Attachments

Forms

Activity

[JSDSERVER-6895] XSS in API and Integrations - CVE-2020-14166

Collapse comment: Peter Sharar added a comment - 08/Apr/2021 3:38 AM

Expand comment: Peter Sharar added a comment - 08/Apr/2021 3:38 AM

Collapse comment: Security Metrics Bot added a comment - 18/Jun/2020 2:45 AM

Expand comment: Security Metrics Bot added a comment - 18/Jun/2020 2:45 AM

People

Dates