Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Summary

Cross-site scripting vulnerabilities in User Anonymizer for Jira (GDPR)

Advisory Release Date

3 November 2020 

Product

User Anonymizer for Jira (GDPR)

Affected Versions

all All User Anonymizer for Jira (GDPR) for Jira versions until 2.0.3

Fixed Version

2.0.4

...

For the first two vulnerabilities, because of incorrect escaping, our app would render some information from Jira as HTML. This qualifies as cross-site scripting (XSS) vulnerability. The HTML code which might contain JavaScript will then be executed in the context of the user viewing the content. This kind of vulnerability could be exploited for different attacks, including an escalation of privileges. The third vulnerability, because of the XSRF security missing token, could cause a user with permissions to execute an unwanted actionanonymization unknowingly.