Atlassian Jira "global-translations.jsp" Cross-Site Scripting Vulnerability Fixed by 7.2.2


Description   (:A cross-site scripting vulnerability was reported in Atlassian Jira.:A remote attacker could exploit it by enticing their victim into following a specially formed link in order to execute arbitrary JavaScript or HTML code.::This vulnerability, located in the "/src/main/webapp/includes/decorators/global-translations.jsp" file, is due to an improper validation of user-supplied input.::A proof of concept is available.)
     
Vulnerable Products   Vulnerable Software:
JIRA (Atlassian) - 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, ..., 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1
     
Solution   Version 7.2.2 of Atlassian Jira fixes this vulnerability.
     
CVE   CVE-2016-6285
     
References   - Full Disclosure : Reflected Cross-Site Scripting (XSS) in Atlassian Jira Software
http://seclists.org/fulldisclosure/2017/Jan/41
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Code injection in HTTP User-Agent detected
4.1.2
XSS - Prevention : suspicious tag or javascript found in header
5.0.0
XSS - Prevention : suspicious 'document.cookie' found in header
5.0.0
XSS - Prevention : suspicious 'script' tag found in header
5.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2017-01-16 

 Target Type 
Client 

 Possible exploit 
Remote