WorklogPRO - Jira Timesheets Plugin Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the WorklogPRO - Jira Timesheets plugin for Jira Data Center, affecting versions prior to 4.24.1-jira9, 4.24.1-jira10, and 4.24.1-jira11. The vulnerability allows attackers to inject arbitrary HTML or JavaScript by placing a crafted payload in the name of a filter. This injected code is executed in the user's browser when creating a timesheet using the custom timesheet dialog, as the filter name is not properly sanitized.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser.

Remediation

Users can update to WorklogPRO - Jira Timesheets plugin versions 4.24.2-jira9, 4.24.2-jira10, or 4.24.2-jira11, all of which include the necessary security fix.