This host is running Atlassian JIRA and is prone to privilege escalation and multiple cross site scripting vulnerabilities.

Successful exploitation will let attackers to execute arbitrary script or gain higher privileges. Impact Level: Application

Upgrade to the Atlassian JIRA version 4.1.1 or later or apply patch. For more details refer, http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16#JIRASecurityAdvisory2010-04-16-XSSVulnerabilitiesinJIRA ***** NOTE: Ignore this warning, if above mentioned patch is applied. *****

The flaws are caused because input passed to the - 'element' or 'defaultColor' parameters to the 'Colour Picker' page, - 'formName' and 'element' parameters and the 'full user name' field to the 'User Picker' and 'Group Picker' page, - 'announcement_preview_banner_st' parameter to the 'Announcement Banner Preview' page, - 'portletKey' parameter to 'runportleterror.jsp', URL to 'issuelinksmall.jsp', - 'afterURL' parameter to 'screenshot-redirecter.jsp', - 'Referrer' HTTP request header to '500page.jsp' - 'groupnames.jsp', 'indexbrowser.jsp', 'classpath-debug.jsp', 'viewdocument.jsp', and 'cleancommentspam.jsp' are not properly sanitised before being returned to the user. It allows administrative users to change certain path settings, which can be exploited to gain operating system account privileges to the server infrastructure.

Atlassian JIRA version 3.12 through 4.1

• http://jira.atlassian.com/browse/JRA-20995
• http://jira.atlassian.com/browse/JRA-21004
• http://secunia.com/advisories/39353
• http://www.openwall.com/lists/oss-security/2010/04/16/3
• http://www.openwall.com/lists/oss-security/2010/04/16/4
• http://xforce.iss.net/xforce/xfdb/57826
• http://xforce.iss.net/xforce/xfdb/57828

---

Updated on 2015-03-25