CVE-2024-42912

Vulnerability

Overview A cross-site scripting (XSS) vulnerability exists in META-INF Kft.'s Email This Issue plugin for Jira Server/Data Center, versions prior to 9.13.0-GA [1]. The flaw resides in the Email Audit Log feature, where a crafted email address containing a malicious script can be injected into the recipient field (TO, CC, or BCC) of an email message [1]. Because the application does not sanitize email addresses before displaying them on the Emails tab of a Jira issue, the injected payload is stored and later executed in the browser of any user viewing that tab [1].

Exploitation

Attack Vector To exploit the vulnerability, an attacker must create a syntactically valid email address whose local part contains arbitrary HTML/JavaScript (e.g., "xss-test."@domain.tld) [1]. This email address must then be used as a recipient in a message sent to a mailbox configured as an Incoming Connection within Email This Issue [1]. Additionally, a Mail Handler must be configured for that incoming connection so that the application processes the message and automatically creates a Jira issue [1]. Once the email is processed and the issue exists, navigating to the Emails tab on the corresponding Jira issue executes the attacker's script in the victim's browser [1].

Impact

An attacker who successfully injects a stored XSS payload can execute arbitrary web scripts or HTML in the context of an authenticated Jira user viewing the affected issue's Emails tab [1]. This could lead to session hijacking, defacement, or unauthorized actions performed on behalf of the victim. The CVSS v3 base score is 5.4 (Medium) [1].

Mitigation

The vendor has addressed the vulnerability in version 9.13.0-GA by adding sanitization of email addresses to neutralize injection threats [1]. Users of affected versions (9.12.0-GA and earlier) should upgrade to 9.13.0-GA or later [1]. No workarounds are documented in the advisory.