97517

https://confluence.atlassian.com/jiracore/jira-core-7-1-x-release-notes-802161668.html#JIRACore7.1.xreleasenotes-v7.1.9v7.1.9-06July2016

https://jira.atlassian.com/browse/JRA-61803

https://jira.atlassian.com/browse/JRASERVER-61803

https://jira.atlassian.com/secure/ReleaseNote.jspa?projectId=10240&version=62034

The version of JIRA installed on the remote host is earlier than 7.1.9 and is affected by multiple vulnerabilities :

 - A flaw exists as HTTP requests to '/auditing/settings' do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF/XSRF) attack causing the victim to perform unspecified actions.
 - A flaw allows a stored cross-site scripting (XSS) attack. This flaw exists because the '/project/ViewDefaultProjectRoleActors.jspa' script does not validate input to role names before returning it to users. This may allow an authenticated remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

CVE-2016-4319

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins