CVE-2021-39111

EUVD-2021-25547
The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the handling of supplied content such as from a PDF when pasted into a field such as the description field.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
Affected Products (NVD)
VendorProductVersion
atlassiandata_center
𝑥
< 8.5.18
atlassianjira
𝑥
< 8.5.18
atlassianjira_data_center
8.6.0 ≤
𝑥
< 8.13.10
atlassianjira_data_center
8.14.0 ≤
𝑥
< 8.18.2
atlassianjira_server
8.6.0 ≤
𝑥
< 8.13.10
atlassianjira_server
8.14.0 ≤
𝑥
< 8.18.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://jira.atlassian.com/browse/JRASERVER-72716
https://jira.atlassian.com/browse/JRASERVER-72716