Skip to main content

Jira CVE-2025-67824

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-01-20 cve@mitre.org
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 20, 2026 - 16:16 nvd
MEDIUM 6.1

DescriptionCVE.org

The WorklogPRO - Jira Timesheets plugin in the Jira Data Center before 4.24.2-jira9, 4.24.2-jira10 and 4.24.2-jira11 allows attackers to inject arbitrary HTML or JavaScript via XSS. This is exploited via a crafted payload placed in the name of a filter. This code is executed in the browser when the user attempts to create a timesheet with the filter timesheet type on the custom timesheet dialog because the filter name is not properly sanitized during the action.

AnalysisAI

WorklogPRO - Jira Timesheets plugin in the Jira Data Center versions up to 4.24.2 is affected by cross-site scripting (xss) (CVSS 6.1).

Technical ContextAI

This vulnerability (CWE-79: Cross-site Scripting (XSS)) affects WorklogPRO - Jira Timesheets plugin in the Jira Data Center. The WorklogPRO - Jira Timesheets plugin in the Jira Data Center before 4.24.2-jira9, 4.24.2-jira10 and 4.24.2-jira11 allows attackers to inject arbitrary HTML or JavaScript via XSS. This is exploited via a crafted payload placed in the name of a filter. This code is executed in the browser when the user attempts to create a timesheet with the filter timesheet type on the custom timesheet dialog because the filter name is not properly sanitized during the action.

Affected ProductsAI

Product: WorklogPRO - Jira Timesheets plugin in the Jira Data Center. Versions: up to 4.24.2.

RemediationAI

Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

More in Jira

View all
CVE-2012-2926 CRITICAL POC
9.1 May 22

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible bef

CVE-2014-2314 MEDIUM POC
4.3 Mar 09

Directory traversal vulnerability in the Issue Collector plugin in Atlassian JIRA before 6.0.4 allows remote attackers t

CVE-2017-5983 CRITICAL POC
9.8 Apr 10

The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer,

CVE-2019-8442 HIGH POC
7.5 May 22

The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4,

CVE-2016-6285 MEDIUM POC
6.1 Jan 31

Cross-site scripting (XSS) vulnerability in includes/decorators/global-translations.jsp in Atlassian JIRA before 7.2.2 a

CVE-2021-26078 MEDIUM POC
6.1 Jun 07

The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before

CVE-2019-3402 MEDIUM POC
6.1 May 22

The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows

CVE-2018-5230 MEDIUM POC
6.1 May 14

The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0

CVE-2019-16541 CRITICAL
9.9 Nov 21

Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions,

CVE-2020-14172 CRITICAL
9.8 Jul 03

This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templ

CVE-2025-57681 MEDIUM POC
5.4 Jan 21

The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-j

CVE-2020-14181 MEDIUM POC
5.3 Sep 17

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Infor

Share

CVE-2025-67824 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy