QID 730144

Date Published: 2021-07-21

QID 730144: Atlassian Jira Multiple Vulnerabilities (JRASERVER-72213, JRASERVER-72499)

Jira is a proprietary issue tracking product, developed by Atlassian. It provides bug tracking, issue tracking, and project management functions.

Affected by below vulnerability:
CVE-2021-26083: The name of a filter can be used to XSS users who open an "Export HTML Report".

CVE-2021-26081: Username of users via an enumeration vulnerability in the REST API.

Affected version:
Atlassian Jira Server versions prior to version 8.5.14
Atlassian Jira Server from version 8.6.0 before 8.13.6
Atlassian Jira Server from version 8.14.0 before 8.16.1
QID Detection Logic:(Unauthenticated)
It checks for vulnerable version of Atlassian Jira.

Successful exploitation of this vulnerability may allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in Export HTML Report feature or username enumeration from the REST API.

  • CVSS V3 rated as Medium - 5.4 severity.
  • CVSS V2 rated as Medium - 5 severity.
  • Solution
    Customers are advised to refer JRASERVER-72213 for updates pertaining to this vulnerability.

    CVEs related to QID 730144

    Software Advisories
    Advisory ID Software Component Link
    JRASERVER-72213 URL Logo jira.atlassian.com/browse/JRASERVER-72213