HTTP: Atlassian Jira Server and Data Center planUrl Reflected Cross-Site Scripting
A reflected cross-site scripting vulnerability has been reported in Atlassian Jira Server and Data Center. The vulnerability is due to insufficient sanitization of the planUrl parameter in HTTP requests to the TeamManagement.jspa endpoint. A remote attacker can exploit this vulnerability by enticing a target user into clicking a malicious link. Successful exploitation could result in arbitrary redirection or in the worst case, arbitrary script execution in the security context of the target user's browser.
Extended Description
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (RXSS) vulnerability in the TeamManagement.jspa endpoint. The affected versions are before version 8.20.8.
Affected Products
Atlassian jira_server
Short Name
HTTP:XSS:ATLSIAN-JIRA-DC-RXSS
Severity
Major
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
Atlassian CVE-2022-36801 Center Cross-Site Data Jira Reflected Scripting Server and planUrl
Release Date
12/06/2022
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3590
False Positive
Unknown
Vendors
Atlassian