CVE-2021-26078

moderate-risk

Published 2021-06-07

The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.

Do I need to act?

0.56% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

50068

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (3)

Data Center

Jira

Jira Server

Affected Vendors

Atlassian

References (4)

Exploit http://packetstormsecurity.com/files/163289/Atlassian-Jira-Server-Data-Center-8....

Patch https://jira.atlassian.com/browse/JRASERVER-72392

Exploit http://packetstormsecurity.com/files/163289/Atlassian-Jira-Server-Data-Center-8....

Patch https://jira.atlassian.com/browse/JRASERVER-72392

/ 100

moderate-risk

Severity 23/34 · High

Exploitability 2/34 · Minimal

Exposure 9/34 · Low