CVE-2020-4022

MEDIUM

Atlassian Jira < 8.5.5, 8.6.0-8.8.2, 8.9.0-8.9.1 - Cross-Site Scripting via Mixed Multipart Attachment Download

Title source: llm

Description

The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_misc

https://jira.atlassian.com/browse/JRASERVER-71107

Scores

CVSS v3 6.1

EPSS 0.0033

EPSS Percentile 56.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (4)

atlassian/jira < 8.5.5

atlassian/jira_data_center 8.6.0 - 8.8.2

atlassian/jira_server 8.6.0 - 8.8.2

atlassian/jira_software_data_center < 8.5.5

Published Jul 01, 2020

Tracked Since Feb 18, 2026