{"api_version":"1","generated_at":"2026-04-23T06:18:49+00:00","cve":"CVE-2020-14166","urls":{"html":"https://cve.report/CVE-2020-14166","api":"https://cve.report/api/cve/CVE-2020-14166.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-14166","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-14166"},"summary":{"title":"CVE-2020-14166","description":"The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file.","state":"PUBLIC","assigner":"security@atlassian.com","published_at":"2020-07-01 02:15:00","updated_at":"2022-02-01 17:41:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://jira.atlassian.com/browse/JSDSERVER-6895","name":"https://jira.atlassian.com/browse/JSDSERVER-6895","refsource":"MISC","tags":["Issue Tracking","Vendor Advisory"],"title":"[JSDSERVER-6895] XSS in API and Integrations - CVE-2020-14166 - Create and track feature requests for Atlassian products.","mime":"text/html","httpstatus":"200","archivestatus":"426"},{"url":"http://packetstormsecurity.com/files/162107/Atlassian-Jira-Service-Desk-4.9.1-Cross-Site-Scripting.html","name":"http://packetstormsecurity.com/files/162107/Atlassian-Jira-Service-Desk-4.9.1-Cross-Site-Scripting.html","refsource":"MISC","tags":[],"title":"Atlassian Jira Service Desk 4.9.1 Cross Site Scripting ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-14166","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14166","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"14166","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"jira","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"14166","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"jira","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"14166","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"jira_service_desk","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"data_center","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"14166","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"jira_service_desk","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"server","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"14166","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"jira_software_data_center","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"14166","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"jira_software_data_center","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-14166","qid":"730460","title":"Atlassian Jira Service Desk Server and Data Center Cross-Site Scripting (XSS) Vulnerability (JSDSERVER-6895)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@atlassian.com","DATE_PUBLIC":"2020-07-01T00:00:00","ID":"CVE-2020-14166","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Jira Service Desk Server and Data Center","version":{"version_data":[{"version_value":"4.10.0","version_affected":"<"}]}}]},"vendor_name":"Atlassian"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Cross Site Scripting (XSS)"}]}]},"references":{"reference_data":[{"url":"https://jira.atlassian.com/browse/JSDSERVER-6895","refsource":"MISC","name":"https://jira.atlassian.com/browse/JSDSERVER-6895"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/162107/Atlassian-Jira-Service-Desk-4.9.1-Cross-Site-Scripting.html","url":"http://packetstormsecurity.com/files/162107/Atlassian-Jira-Service-Desk-4.9.1-Cross-Site-Scripting.html"}]}},"nvd":{"publishedDate":"2020-07-01 02:15:00","lastModifiedDate":"2022-02-01 17:41:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":4.8,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.7,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":3.5},"severity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:server:*:*:*","versionEndExcluding":"4.10.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:data_center:*:*:*","versionEndExcluding":"4.10.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"14166","Ordinal":"175396","Title":"CVE-2020-14166","CVE":"CVE-2020-14166","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"14166","Ordinal":"1","NoteData":"The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"14166","Ordinal":"2","NoteData":"2020-06-30","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"14166","Ordinal":"3","NoteData":"2021-04-07","Type":"Other","Title":"Modified"}]}}}