CVE-2008-6831

Atlassian Jira - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA Enterprise Edition 3.13 allow remote attackers to inject arbitrary web script or HTML via the (1) fullname (Full Name) parameter in the ViewProfile page or (2) returnUrl parameter in a form, as demonstrated using secure/AddComment!default.jspa (aka "Add Comment").

References (7)

[Patch, Vendor Advisory] http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-10-29

[Vendor Advisory] http://secunia.com/advisories/32113

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/46167

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/46168

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/31967

[Third Party Advisory, VDB Entry] http://osvdb.org/49415

[Third Party Advisory, VDB Entry] http://osvdb.org/49416

Scores

EPSS 0.0049

EPSS Percentile 65.0%

Classification

CWE

CWE-79

Status published

Affected Products (2)

atlassian/jira

n/a/n/a

Timeline

Published Jun 08, 2009

Tracked Since Feb 18, 2026