Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-14166

CWE-79Cross-site Scripting (XSS)4 documents4 sources
Severity
4.8MEDIUM
EPSS
0.8%
top 26.66%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Atlassian Jira Service Desk Server AND Data CenterAtlassian Jira Service Desk
Timeline
PublishedJul 1
Latest updateMay 24

Description

The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

CVEListV5atlassian/jira_service_desk_server_and_data_centerunspecified4.10.0

🔴Vulnerability Details

2
GHSA
GHSA-r66f-f7w5-7r65: The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 42022-05-24
CVEList
CVE-2020-14166: The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 42020-07-01

💥Exploits & PoCs

1
Exploit-DB
Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS2021-04-07
CVE-2020-14166 (MEDIUM CVSS 4.8) | The /servicedesk/customer/portals r | cvebase.io