• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: Low
• Fix Version/s: 4.15.1, 4.13.5, 4.5.13, 4.16.0
• Affects Version/s: 4.5.0, 4.15.0, 4.13.0
• Component/s: None
• Labels:

  • advisory
  • advisory-to-release
  • dont-import
  • security

[JSDSERVER-7250] XSS via parameter pollution

Nobuyuki Mukai made changes - 12/Oct/2021 1:52 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 590098 ]

Brian Adeloye (Inactive) made changes - 16/Apr/2021 8:30 PM

Security

Original: Atlassian Staff [ 10750 ]

Brian Adeloye (Inactive) made changes - 16/Apr/2021 8:29 PM

Resolution		New: Fixed [ 1 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

Collapse comment: Brian Adeloye (Inactive) added a comment - 16/Apr/2021 8:25 PM

Brian Adeloye (Inactive) added a comment - 16/Apr/2021 8:25 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 7.1 => High severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	Required

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	High
Integrity	Low
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Expand comment: Brian Adeloye (Inactive) added a comment - 16/Apr/2021 8:25 PM

Brian Adeloye (Inactive) added a comment - 16/Apr/2021 8:25 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.1 => High severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction Required Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Brian Adeloye (Inactive) made changes - 16/Apr/2021 8:24 PM

Description

Original: Jira Service Management Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability caused by parameter pollution. *Affected versions:*  * version < 8.5.12  * 8.6.0 ≤ version < 8.13.4  * 8.14.0 ≤ version < 8.15.1 *Fixed versions:*  * 8.5.12  * 8.13.4  * 8.15.1 Atlassian would like to credit Peter af Geijerstam for reporting this issue.

New: Jira Service Management Server and Data Center allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability caused by parameter pollution. *Affected versions:* * version < 4.5.13 * 4.13.0 ≤ version < 4.13.5 * 4.15.0 ≤ version < 4.15.1 *Fixed versions:*  * 4.5.13  * 4.13.5  * 4.15.1  * 4.16.0

Brian Adeloye (Inactive) made changes - 16/Apr/2021 8:14 PM

Summary

Original: [Jira Service Desk Server] XSS via Prototype Pollution

New: XSS via parameter pollution

Brian Adeloye (Inactive) made changes - 16/Apr/2021 8:14 PM

Description

Original: This vulnerability affects certain versions of Atlassian Jira Service Management Server. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent.

New: Jira Service Management Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability caused by parameter pollution. *Affected versions:*  * version < 8.5.12  * 8.6.0 ≤ version < 8.13.4  * 8.14.0 ≤ version < 8.15.1 *Fixed versions:*  * 8.5.12  * 8.13.4  * 8.15.1 Atlassian would like to credit Peter af Geijerstam for reporting this issue.

Security Metrics Bot made changes - 12/Apr/2021 10:09 PM

Labels

New: advisory advisory-to-release dont-import security

Security Metrics Bot created issue - 12/Apr/2021 10:09 PM