CVE-2025-67824

Vulnerability

Overview

CVE-2025-67824 is a stored Cross-Site Scripting (XSS) vulnerability in the WorklogPRO - Jira Timesheets plugin for Jira Data Center. The flaw resides in how the plugin handles filter names: when a user saves a search as a filter, the filter name is not properly sanitized before being stored. An attacker can inject arbitrary HTML or JavaScript into the filter name field, which is later rendered unsafely in the browser. [1]

Exploitation

To exploit this vulnerability, an attacker must have access to the Jira instance and be able to save a search filter. The attacker crafts a malicious payload (e.g., ``) and enters it as the filter name during the 'Save as' operation. When any user (including the attacker) navigates to the Timesheets page and opens the filter dropdown to create a timesheet, the payload is executed without proper output encoding. [1] No special privileges beyond the ability to save filters are required, making this a low-complexity attack.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is heightened because the attack is stored: any user who views the affected filter list becomes a potential victim. [1]

Mitigation

The vendor has addressed this issue in version 4.24.2 of the plugin for all Jira versions (jira9, jira10, jira11). Users are strongly advised to upgrade to 4.24.2 or later. Subsequent releases (e.g., 4.25.6) also include security fixes. [1][2] No workaround is documented; the recommended action is to apply the patch immediately.