CVE-2020-4024

MEDIUM

Atlassian Jira < 8.5.5, 8.6.0-8.8.2, 8.9.0-8.9.1 - Cross-Site Scripting via vnd.wap.xhtml+xml Attachment

Title source: llm

Description

The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_misc

https://jira.atlassian.com/browse/JRASERVER-71113

Scores

CVSS v3 5.4

EPSS 0.0027

EPSS Percentile 50.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (4)

atlassian/jira < 8.5.5

atlassian/jira_data_center 8.6.0 - 8.8.2

atlassian/jira_server 8.6.0 - 8.8.2

atlassian/jira_software_data_center < 8.5.5

Published Jul 01, 2020

Tracked Since Feb 18, 2026