CVE-2022-32274

An attacker creates a Jira project whose name contains malicious JavaScript. When any user (including administrators) opens the scheduled-issue creation wizard, the add-on fetches the project list via `GET /rest/thescheduler/1.0/project` and renders the unsanitized project name in the browser, executing the injected script [ref_id=1]. The attacker needs only the ability to create or rename a project in Jira; no special privileges on the add-on itself are required.

The vulnerable endpoint is `/rest/thescheduler/1.0/project`, which loads project names when creating a scheduled issue. The creation function in the Transition Scheduler add-on 6.5.0 fails to sanitize the project name before reflecting it in the server response [ref_id=1].

The advisory states the manufacturer closed the vulnerability on 2022-07-12, but no patch diff is included in the bundle [ref_id=1]. The recommended remediation is to implement proper input validation and output encoding of the project name before it is returned by the REST endpoint, preventing JavaScript from being interpreted by the browser.