CVE-2018-13395

Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved.

Published: Aug 28, 2018
Updated: Apr 13, 2023
CVE: CVE-2018-13395
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
atlassian / jira	-	7.6.8
atlassian / jira_server	7.11.0	7.11.1
atlassian / jira_server	7.10.0	7.10.3
atlassian / jira_server	7.7.0	7.7.5
atlassian / jira_server	7.9.0	7.9.3
atlassian / jira_server	7.8.0	7.8.5

https://jira.atlassian.com/browse/JRASERVER-67848

Vulnerability Database

289,784

CVE-2018-13395