CVE-2019-12836

HIGH

Bobronix JEditor < 3.0.6 - Cross-Site Request Forgery via URL/Link in Issue

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-12836. PoCs published by 9lyph.

AI-analyzed exploit summary The repository provides a detailed technical analysis of CVE-2019-12836, a CSRF vulnerability in JEditor v3.0.5 for Jira. It includes an example HTTP request and response demonstrating how an attacker can upload and render malicious HTML content, leading to session token theft.

Description

The Bobronix JEditor editor before 3.0.6 for Jira allows an attacker to add a URL/Link (to an existing issue) that can cause forgery of a request to an out-of-origin domain. This in turn may allow for a forged request that can be invoked in the context of an authenticated user, leading to stealing of session tokens and account takeover.

Exploits (1)

nomisec WRITEUP 7 stars
by 9lyph · poc
https://github.com/9lyph/CVE-2019-12836

The repository provides a detailed technical analysis of CVE-2019-12836, a CSRF vulnerability in JEditor v3.0.5 for Jira. It includes an example HTTP request and response demonstrating how an attacker can upload and render malicious HTML content, leading to session token theft.

Classification
Writeup 90%
Attack Type
Csrf
Complexity
Moderate
Reliability
Reliable
Target: JEditor v3.0.5 for Jira
Auth required
Prerequisites: Authenticated user interaction with embedded link/URL
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Release Notes, Third Party Advisory x_refsource_confirm
https://jeditor.zendesk.com/hc/en-us/articles/360029430751-JEditor-3-0-6-release-notes

Scores

CVSS v3 8.8
EPSS 0.0097
EPSS Percentile 57.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
bobronix/jeditor < 3.0.6
Published Jun 21, 2019
Tracked Since Feb 18, 2026