META-INF Kft. Email This Issue Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability exists in META-INF Kft. Email This Issue for Jira Data Center, in all versions prior to 9.13.0-GA. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the recipient field of an email message. The injected script is executed when the email is processed and the corresponding Jira issue is viewed.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the context of the user viewing the affected Jira issue.

Reproduction

To reproduce this vulnerability, inject a script into the local part of a valid email address. Send an email to a mailbox configured as an Incoming Connection in the Email This Issue application, ensuring a Mail Handler is set up to process the message and create a Jira issue. The injected script will execute when the Emails tab of the Jira issue is accessed. This attack can also be performed via the Global Email Log in the app's Admin menu.

Remediation

Users are advised to upgrade to version 9.13.0-GA or higher, where this vulnerability has been addressed.