Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-26078

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

6.1MEDIUM

EPSS

0.6%

top 31.79%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Atlassian Jira Data Center Atlassian Jira Server Atlassian Data Center +1 more

Timeline

PublishedJun 7

Latest updateMay 24

Description

The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶CVEListV5atlassian/jira_data_centerunspecified — 8.5.14+4

▶CVEListV5atlassian/jira_serverunspecified — 8.5.14+4

▶NVDatlassian/jira_server8.6.0 — 8.13.6+1

▶NVDatlassian/jira< 8.5.14

▶NVDatlassian/data_center8.6.0 — 8.13.6+2

Patches

Patch: jira.atlassian.com ↗Patch: jira.atlassian.com ↗

🔴Vulnerability Details

GHSA

GHSA-5fqv-3jfx-5p64: The number range searcher component in Jira Server and Jira Data Center before version 8↗2022-05-24

▶

CVEList

CVE-2021-26078: The number range searcher component in Jira Server and Jira Data Center before version 8↗2021-06-07

▶

💥Exploits & PoCs

Exploit-DB

Atlassian Jira Server Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)↗2021-06-28

▶