Summary

The Plugin Out Of Office Assistant can be used to configure management of tasks during out of office periods. It allows you to configure a user, which will handle your tasks while out of office. It is possible to change the Name of the jira user to include HTML code, which will be rendered when any authenticated user or administrator views the out of office rules.

Mitigation & Recommendation

The vulnerability has been fixed in version 4.2.0, which is available via the Atlassian Marketplace.

It is recommended to upgrade the plugin to the latest version, which fixes this vulnerability. We confirmed that our initial exploit payload no longer works, however no extensive analysis of the patch was done from our side.

We closely follow the OWASP Guidelines when performing penetration tests and we recommend following the Cross Site Scripting Prevention Cheat Sheet to successfully mitigate Cross-Site Scripting vulnerabilities.

Disclosure Policy

At Y-Security we take security vulnerabilities seriously and follow a responsible disclosure policy. The vendor released a fix before the 90 day deadline and agreed to publish the CVE.

Disclosure Timeline

Author