CVE-2020-14173

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.2%

top 54.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atlassian Jira Server Atlassian Jira Atlassian Jira Data Center +1 more

Timeline

PublishedJul 3

Latest updateMay 24

Description

The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages5 packages

▶NVDatlassian/jira_data_center8.6.0 — 8.6.2+1

▶NVDatlassian/jira_software_data_center< 8.5.4

▶CVEListV5atlassian/jira_serverunspecified — 8.5.4+4

▶NVDatlassian/jira_server8.6.0 — 8.6.2+1

▶NVDatlassian/jira< 8.5.4

🔴Vulnerability Details

GHSA

GHSA-qwxf-m68g-w6v5: The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript v↗2022-05-24

▶

CVEList

CVE-2020-14173: The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript v↗2020-07-03

▶