Skip to main content

Jira CVE-2018-5232

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2018-07-18 security@atlassian.com
6.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 18, 2018 - 14:29 nvd
MEDIUM 6.1

DescriptionNVD

The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuetype parameter.

AnalysisAI

The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuetype parameter. Affected products include: Atlassian Jira, Atlassian Jira Server. Version information: version 7.6.7.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Jira

View all
CVE-2012-2926 CRITICAL POC
9.1 May 22

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible bef

CVE-2014-2314 MEDIUM POC
4.3 Mar 09

Directory traversal vulnerability in the Issue Collector plugin in Atlassian JIRA before 6.0.4 allows remote attackers t

CVE-2017-5983 CRITICAL POC
9.8 Apr 10

The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer,

CVE-2019-8442 HIGH POC
7.5 May 22

The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4,

CVE-2016-6285 MEDIUM POC
6.1 Jan 31

Cross-site scripting (XSS) vulnerability in includes/decorators/global-translations.jsp in Atlassian JIRA before 7.2.2 a

CVE-2021-26078 MEDIUM POC
6.1 Jun 07

The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before

CVE-2019-3402 MEDIUM POC
6.1 May 22

The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows

CVE-2018-5230 MEDIUM POC
6.1 May 14

The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0

CVE-2019-16541 CRITICAL
9.9 Nov 21

Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions,

CVE-2020-14172 CRITICAL
9.8 Jul 03

This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templ

CVE-2025-57681 MEDIUM POC
5.4 Jan 21

The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-j

CVE-2020-14181 MEDIUM POC
5.3 Sep 17

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Infor

Share

CVE-2018-5232 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy