Atlassian Jira DOM-based cross-site scripting vulnerability

Description

Jira is a proprietary issue tracking product, developed by Atlassian. It provides bug tracking, issue tracking, and project management functions.

Atlassian Jira versions Jira 6.0.* <= 6.1.4 are vulnerable to a DOM-based cross-site scripting vulnerability.

DOM-based XSS is a type of cross site scripting attack which relies on inappropriate handling, in the HTML page, of the data from its associated DOM. Among the objects in the DOM, there are several which the attacker can manipulate in order to generate the XSS condition, and the most popular, from this perspective, are the document.url, document.location and document.referrer objects.

Remediation

Customers who have downloaded and installed JIRA should upgrade their existing JIRA installations or apply the patches to fix these vulnerabilities.

References