CVE-2021-41304

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

6.1MEDIUM

EPSS

0.4%

top 40.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atlassian Jira Data Center Atlassian Jira Server Atlassian Data Center +1 more

Timeline

PublishedOct 26

Latest updateMay 24

Description

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages6 packages

▶CVEListV5atlassian/jira_data_centerunspecified — 8.13.12+2

▶NVDatlassian/jira_data_center8.14.0 — 8.20.2

▶CVEListV5atlassian/jira_serverunspecified — 8.13.12+2

▶NVDatlassian/data_center< 8.13.12

▶NVDatlassian/jira_server8.14.0 — 8.20.2

Patches

Patch: jira.atlassian.com ↗Patch: jira.atlassian.com ↗

🔴Vulnerability Details

GHSA

GHSA-frf8-q8px-qghm: Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Sc↗2022-05-24

▶

CVEList

CVE-2021-41304: Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Sc↗2021-10-26

▶