CVE-2019-12836

The Bobronix JEditor editor before 3.0.6 for Jira allows an attacker to add a URL/Link (to an existing issue) that can cause forgery of a request to an out-of-origin domain. This in turn may allow for a forged request that can be invoked in the context of an authenticated user, leading to stealing of session tokens and account takeover.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 90%
VendorProductVersion
bobronixjeditor
𝑥
< 3.0.6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/9lyph/CVE-2019-12836/blob/master/README.md
https://jeditor.zendesk.com/hc/en-us/articles/360029430751-JEditor-3-0-6-release-notes
https://github.com/9lyph/CVE-2019-12836/blob/master/README.md
https://jeditor.zendesk.com/hc/en-us/articles/360029430751-JEditor-3-0-6-release-notes