CVE-2019-12836
Description
The Bobronix JEditor editor before 3.0.6 for Jira allows an attacker to add a URL/Link (to an existing issue) that can cause forgery of a request to an out-of-origin domain. This in turn may allow for a forged request that can be invoked in the context of an authenticated user, leading to stealing of session tokens and account takeover.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JEditor < 3.0.6 for Jira allows upload of HTML files, enabling stored XSS that an authenticated victim's interaction triggers, leading to session theft and account takeover.
Vulnerability
CVE-2019-12836 is a cross-site request forgery (CSRF) vulnerability in the Bobronix JEditor WYSIWYG editor for Jira, affecting versions before 3.0.6. The editor permits file uploads; among accepted extensions is .HTML. An attacker can upload an HTML file to an existing Jira issue. The content is stored on the Jira instance and later served via the jeditor_file_provider servlet (path /plugins/servlet/jeditor_file_provider). The servlet renders the uploaded HTML inline in the browser context of any authenticated user who views the issue, without proper content-type restrictions or origin validation [1].
Exploitation
To exploit, an attacker must be an authenticated Jira user with permission to add attachments or links to issues. The attacker uploads a crafted .HTML file containing a forgery script (e.g., a form submission or XMLHttpRequest) targeting an out-of-origin domain. The attacker then entices an authenticated victim (who may have higher privileges) to view the issue or directly navigate to the uploaded file URL. The victim’s browser renders the HTML, executing the malicious script in the context of the victim’s session. No additional user interaction beyond viewing the page is required [1].
Impact
Successful exploitation allows the attacker to forge authenticated requests on behalf of the victim. This can lead to theft of session tokens, unauthorized actions within Jira (e.g., granting permissions), and ultimately full account takeover of the victim’s Jira session. The impact is limited to client-side attacks but can compromise the integrity and confidentiality of the Jira instance for the affected user [1].
Mitigation
The vulnerability is fixed in JEditor version 3.0.6, released on the vendor’s website. The fix is documented in the release notes at https://jeditor.zendesk.com/hc/en-us/articles/360029430751 (now redirects to Bobronix support). Users should upgrade all Jira instances running JEditor to 3.0.6 or later. No workaround is described in the available references; disabling the HTML file upload extension filter or using a content security policy could reduce risk but is not an official mitigation [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/9lyph/CVE-2019-12836/blob/master/README.mdmitrex_refsource_MISC
- jeditor.zendesk.com/hc/en-us/articles/360029430751-JEditor-3-0-6-release-notesmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.