Reminder for Jira – Cross-Site Scripting (CVE-2023-30453)

ITEM Comment
Software Reminder for Jira – Follow Up Issues
Vendor Teamlead
Version < 2.6.6
Type of Issue Cross-Site Scripting
CVE CVE-2023-30453
OWASP Testing for Stored Cross Site Scripting
Roles affected All
CVSS High – 8.5
Credits Sven Schlüter & Thore Imhof from Y-Security


The Plugin Reminder for Jira gives users the ability to create simple reminders for themselves and other users within the same Jira instance. It is possible to embed HTML code directly within a single reminder, leading to a Cross-Site Scripting vulnerability, that can be used to target other users. The victim user simply has to view the reminder and the attacker’s payload will be triggered within the victim’s browser.

CVE-2023-30453 was assigned for this vulnerability.

Mitigation & Recommendation

The vulnerability has been fixed in version 2.6.6, although it is not mentioned explicitly which security vulnerabilities were fixed with this patch.

It is recommended to upgrade the plugin to the latest version, which fixes this vulnerability. We tested the updated plugin to ensure this vulnerability can no longer be exploited.

We closely follow the OWASP Guidelines when performing penetration tests and we recommend following the Cross-Site Scripting Prevention Cheat Sheet to successfully mitigate Cross-Site Scripting vulnerabilities.

Disclosure Policy

At Y-Security we take security vulnerabilities seriously and follow a responsible disclosure policy. The 90-day disclosure deadline was exceeded and therefore we decided to disclosure the vulnerability after a fix had been released.

Disclosure Timeline

04.11.2022 Y-Security discovered security vulnerability & communicated to client
22.12.2022 Y-Security reported issue to Atlassian Bugcrowd Program
23.12.2022 Bugcrowd unable to reproduce issue / requested further information
02.01.2023 Y-Security provided additional information and Video Proof of Concept
04.01.2023 Bugcrowd reproduced & acknowledged issue
13.01.2023 Bugcrowd forwarded issue to Product Owner
16.01.2023 Y-Security requested CVE via Bugcrowd
30.01.2023 Y-Security requested update
01.02.2023 Bugcrowd declined CVE request
01.03.2023 Y-Security reminded Bugcrowd of disclosure date
02.03.2023 Bugcrowd provided status update
03.03.2023 Teamlead confirmed working on fix
07.03.2023 Y-Security coordinated fix with client
13.03.2023 Y-Security giving notice of disclosure policy
17.03.2023 Teamlead released fix
04.04.2023 Y-Security requested update with no response
10.04.2023 CVE assigned (CVE-2023-30453)
11.04.2023 Y-Security informed Bugcrowd of assigned CVE
16.05.2023 Y-Security disclosed CVE-2023-30453


Thore Imhof
Y-Security GmbH
16. May 2023