Patches for XSS / XSRF vulnerabilities

2010-10-12T01:07:00
ID ATLASSIAN:JRA-22493
Type atlassian
Reporter jwinters
Modified 2017-02-17T06:18:44

Description

We have identified and fixed vulnerabilities in JIRA 4.2 which will allow an attacker to invoke XSS (Cross Site Scripting) attacks and/or Cross Site Request Forgery (XSRF) attacks. Full details of the severity, risks and vulnerabilities can be found in the [JIRA Security Advisory 2010-11-06|http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-12-06].

The patches below should be applied. Please note that all Studio instances are not vulnerable at the time of this disclosure.

Note these patches are cumulative and include the fixes that were applied in JRA-21004, h3. Patches

||Version ||File || |3.13.5|[patch-JRA-22493-3.13.5.zip|http://downloads.atlassian.com/software/jira/downloads/patch/patch-JRA-22493-3.13.5-cumulative.zip] | |4.0.2 |[patch-JRA-22493-4.0.2.zip|http://downloads.atlassian.com/software/jira/downloads/patch/patch-JRA-22493-4.0.2-cumulative.zip] | |4.1.2 |[patch-JRA-22493-4.1.2.zip|http://downloads.atlassian.com/software/jira/downloads/patch/patch-JRA-22493-4.1.2-cumulative.zip] | |4.2 |[patch-JRA22493-4.2.zip|http://downloads.atlassian.com/software/jira/downloads/patch/patch-JRA22493-4.2.zip] |