CVE-2021-39111

MEDIUM

Atlassian Jira Server/Data Center XSS via PDF Content Paste (versions <8.5.18, 8.6.0-8.13.10, 8.14.0-8.18.2)

Title source: llm

Description

The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the handling of supplied content such as from a PDF when pasted into a field such as the description field.

References (1)

Core 1

Core References

Issue Tracking, Vendor Advisory x_refsource_misc

https://jira.atlassian.com/browse/JRASERVER-72716

Scores

CVSS v3 6.1

EPSS 0.0034

EPSS Percentile 57.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (4)

atlassian/data_center < 8.5.18

atlassian/jira < 8.5.18

atlassian/jira_data_center 8.6.0 - 8.13.10

atlassian/jira_server 8.6.0 - 8.13.10

Published Aug 30, 2021

Tracked Since Feb 18, 2026