CVE-2010-1164: XSS
First published: Tue Apr 20 2010(Updated: )
Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA 3.12 through 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) element or (2) defaultColor parameter to the Colour Picker page; the (3) formName parameter, (4) element parameter, or (5) full name field to the User Picker page; the (6) formName parameter, (7) element parameter, or (8) group name field to the Group Picker page; the (9) announcement_preview_banner_st parameter to unspecified components, related to the Announcement Banner Preview page; unspecified vectors involving the (10) groupnames.jsp, (11) indexbrowser.jsp, (12) classpath-debug.jsp, (13) viewdocument.jsp, or (14) cleancommentspam.jsp page; the (15) portletKey parameter to runportleterror.jsp; the (16) URI to issuelinksmall.jsp; the (17) afterURL parameter to screenshot-redirecter.jsp; or the (18) HTTP Referrer header to 500page.jsp, as exploited in the wild in April 2010.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Atlassian Jira | =3.13.2 | |
| Atlassian Jira | =4.0.2 | |
| Atlassian Jira | =3.12 | |
| Atlassian Jira | =4.0.1 | |
| Atlassian Jira | =4.1 | |
| Atlassian Jira | =3.13.3 | |
| Atlassian Jira | =3.12.3 | |
| Atlassian Jira | =3.13.5 | |
| Atlassian Jira | =3.13.1 | |
| Atlassian Jira | =3.12.2 | |
| Atlassian Jira | =3.12.1 | |
| Atlassian Jira | =3.13.4 | |
| Atlassian Jira | =3.13 | |
| Atlassian Jira | =4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2010/04/16/3
- http://secunia.com/advisories/39353
- http://www.openwall.com/lists/oss-security/2010/04/16/4
- http://jira.atlassian.com/browse/JRA-20994
- http://jira.atlassian.com/browse/JRA-21004
- http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16
- http://www.securityfocus.com/bid/39485
- https://exchange.xforce.ibmcloud.com/vulnerabilities/57827
- https://exchange.xforce.ibmcloud.com/vulnerabilities/57826
Frequently Asked Questions
What is the severity of CVE-2010-1164?
CVE-2010-1164 is classified as a moderate severity vulnerability due to its nature allowing cross-site scripting attacks.
How do I fix CVE-2010-1164?
To fix CVE-2010-1164, you should upgrade Atlassian JIRA to the latest version that addresses these XSS vulnerabilities.
What are the affected versions in CVE-2010-1164?
CVE-2010-1164 affects Atlassian JIRA versions from 3.12 to 4.1, including specific subversions within that range.
What types of attacks does CVE-2010-1164 allow?
CVE-2010-1164 allows remote attackers to inject arbitrary web scripts or HTML, leading to potential phishing or data theft.
Is CVE-2010-1164 specific to any particular parameter?
Yes, CVE-2010-1164 exploits vulnerabilities through several parameters including element, defaultColor, and formName.
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/references
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/atlassian
- canonical/atlassian jira
- version/atlassian jira/3.13.2
- version/atlassian jira/4.0.2
- version/atlassian jira/3.12
- version/atlassian jira/4.0.1
- version/atlassian jira/4.1
- version/atlassian jira/3.13.3
- version/atlassian jira/3.12.3
- version/atlassian jira/3.13.5
- version/atlassian jira/3.13.1
- version/atlassian jira/3.12.2
- version/atlassian jira/3.12.1
- version/atlassian jira/3.13.4
- version/atlassian jira/3.13
- version/atlassian jira/4.0