First published: Wed Jul 01 2020(Updated: )
The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type.
Credit: security@atlassian.com
Affected Software | Affected Version | How to fix |
---|---|---|
Atlassian JIRA | <8.5.5 | |
Atlassian Jira Data Center | >=8.6.0<8.8.2 | |
Atlassian Jira Data Center | >=8.9.0<8.9.1 | |
Atlassian Jira Server | >=8.6.0<8.8.2 | |
Atlassian Jira Server | >=8.9.0<8.9.1 | |
Atlassian Jira Software Data Center | <8.5.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-4022 is a Cross-Site Scripting (XSS) vulnerability in Atlassian Jira Server and Data Center.
CVE-2020-4022 allows remote attackers to inject arbitrary HTML or JavaScript into issue attachments.
Atlassian Jira Server and Data Center before version 8.5.5, from version 8.6.0 to 8.8.2, and from version 8.9.0 to 8.9.1 are affected.
The severity of CVE-2020-4022 is medium with a CVSS score of 6.1.
To fix CVE-2020-4022 in Atlassian Jira, update to version 8.5.5 or higher for Jira Server and Data Center, or to a version higher than 8.9.1 for Jira Server and Data Center.