• Type: Bug
• Resolution: Fixed
• Priority: Low
• Fix Version/s: 4.10.0
• Affects Version/s: 4.7.1
• Component/s: API and Integrations
• Labels:

  • CVE-2020-14166
  • advisory
  • advisory-released
  • bugbounty
  • cqt
  • cvss-medium
  • security
  • xss

[JSDSERVER-6895] XSS in API and Integrations - CVE-2020-14166

Collapse comment: Peter Sharar added a comment - 08/Apr/2021 3:38 AM

Peter Sharar added a comment - 08/Apr/2021 3:38 AM

Does Atlassian Jira Service Desk Appliance version number and Atlassian Jira Service Desk Server version number match up, or, are separate version numbers specific to each the Appliance version and Server version?

Just need to know as I can not get Atlassian Jira Service Desk Server version, while Atlassian Service Desk Application version number is displayed.

Expand comment: Peter Sharar added a comment - 08/Apr/2021 3:38 AM

Peter Sharar added a comment - 08/Apr/2021 3:38 AM Does Atlassian Jira Service Desk Appliance version number and Atlassian Jira Service Desk Server version number match up, or, are separate version numbers specific to each the Appliance version and Server version? Just need to know as I can not get Atlassian Jira Service Desk Server version, while Atlassian Service Desk Application version number is displayed.

alexmin (Inactive) made changes - 01/Jul/2020 12:44 AM

Labels

Original: CVE-2020-14166 advisory advisory-to-release bugbounty cqt cvss-medium security xss

New: CVE-2020-14166 advisory advisory-released bugbounty cqt cvss-medium security xss

alexmin (Inactive) made changes - 01/Jul/2020 12:44 AM

Security

Original: Atlassian Staff [ 10750 ]

alexmin (Inactive) made changes - 18/Jun/2020 3:45 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Needs Triage [ 10030 ]	New: Closed [ 6 ]

alexmin (Inactive) made changes - 18/Jun/2020 3:45 AM

Labels

Original: advisory advisory-to-release bugbounty cqt cvss-medium security xss

New: CVE-2020-14166 advisory advisory-to-release bugbounty cqt cvss-medium security xss

alexmin (Inactive) made changes - 18/Jun/2020 3:45 AM

Summary

Original: XSS in API and Integrations - CVE-PENDING

New: XSS in API and Integrations - CVE-2020-14166

Security Metrics Bot made changes - 18/Jun/2020 3:11 AM

Due Date

New: 16/Sep/2020

Security Metrics Bot made changes - 18/Jun/2020 2:45 AM

Link

New: This issue is detailed by JSDSERVER-6803 [ JSDSERVER-6803 ]

Collapse comment: Security Metrics Bot added a comment - 18/Jun/2020 2:45 AM

Security Metrics Bot added a comment - 18/Jun/2020 2:45 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.8 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	High
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Expand comment: Security Metrics Bot added a comment - 18/Jun/2020 2:45 AM

Security Metrics Bot added a comment - 18/Jun/2020 2:45 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.8 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required High User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Security Metrics Bot made changes - 18/Jun/2020 2:45 AM

Fix Version/s		New: 4.10.0 [ 91825 ]
Description	Original: Filler description.	New: Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in API and Integrations. *Affected versions:*  * version < 4.10.0 *Fixed versions:*  * 4.10.0
Labels		New: advisory advisory-to-release bugbounty cqt cvss-medium security xss

Load more older events