CVE-2010-1164
Description
Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA 3.12 through 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) element or (2) defaultColor parameter to the Colour Picker page; the (3) formName parameter, (4) element parameter, or (5) full name field to the User Picker page; the (6) formName parameter, (7) element parameter, or (8) group name field to the Group Picker page; the (9) announcement_preview_banner_st parameter to unspecified components, related to the Announcement Banner Preview page; unspecified vectors involving the (10) groupnames.jsp, (11) indexbrowser.jsp, (12) classpath-debug.jsp, (13) viewdocument.jsp, or (14) cleancommentspam.jsp page; the (15) portletKey parameter to runportleterror.jsp; the (16) URI to issuelinksmall.jsp; the (17) afterURL parameter to screenshot-redirecter.jsp; or the (18) HTTP Referrer header to 500page.jsp, as exploited in the wild in April 2010.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple reflected XSS in Atlassian JIRA 3.12–4.1 let attackers inject arbitrary script via various parameters; exploited in April 2010.
Vulnerability
Atlassian JIRA versions 3.12 through 4.1 contain multiple cross-site scripting (XSS) vulnerabilities in several pages. The Colour Picker page reflects user-supplied input via the element and defaultColor parameters without sanitization. The User Picker and Group Picker pages fail to encode the formName, element, and the full name or group name fields. Additional XSS vectors exist on groupnames.jsp, indexbrowser.jsp, classpath-debug.jsp, viewdocument.jsp, cleancommentspam.jsp, and on announcement preview, runportleterror.jsp, issuelinksmall.jsp, screenshot-redirecter.jsp, and the 500 error page via the HTTP Referrer header. These issues are documented in JRA-20994 and detailed in the Atlassian security advisory [1].
Exploitation
An attacker can send a crafted link or form submission to a victim who has access to a JIRA instance. The attacker does not need authentication or special privileges; any user who clicks the crafted URL or submits the malicious input will trigger the script execution in their browser session. For example, the afterURL parameter in screenshot-redirecter.jsp or the URI in issuelinksmall.jsp can be used to inject XSS payloads. The advisory notes that these vulnerabilities were exploited in the wild in April 2010 [1][4].
Impact
Successful exploitation allows a remote attacker to execute arbitrary web script or HTML in the context of the victim's browser session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is limited to the victim's interaction with JIRA; the attacker does not gain server-side privileges directly, but can leverage the XSS to perform actions as the victim user.
Mitigation
Atlassian released JIRA version 4.1.1 which contains fixes for these XSS vulnerabilities [1][2]. Users are strongly advised to upgrade to version 4.1.1 or later. No workarounds are described if an immediate upgrade is not possible. The advisory includes steps to determine if a system has been compromised, such as auditing logs for unusual activity [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
15cpe:2.3:a:atlassian:jira:3.12:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:atlassian:jira:3.12:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:3.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:3.12.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:3.12.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:3.13:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:3.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:3.13.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:3.13.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:3.13.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:3.13.5:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.1:*:*:*:*:*:*:*
- (no CPE)range: >=3.12 <=4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16nvdPatchVendor Advisory
- jira.atlassian.com/browse/JRA-21004nvdPatchVendor Advisory
- jira.atlassian.com/browse/JRA-20994nvdVendor Advisory
- secunia.com/advisories/39353nvdVendor Advisory
- www.openwall.com/lists/oss-security/2010/04/16/3nvd
- www.openwall.com/lists/oss-security/2010/04/16/4nvd
- www.securityfocus.com/bid/39485nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/57826nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/57827nvd
News mentions
0No linked articles in our index yet.