CVE-2008-6831

Name of the Vulnerable Software and Affected Versions: Atlassian JIRA Enterprise Edition version 3.13

Description: The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. This can be achieved via the fullname parameter in the ViewProfile page or the returnUrl parameter in a form. An example of exploitation is demonstrated using the "Add Comment" functionality, accessible through the secure/AddComment!default.jspa endpoint.

Recommendations: For Atlassian JIRA Enterprise Edition version 3.13, consider restricting access to the fullname and returnUrl parameters to minimize the risk of exploitation. As a temporary workaround, avoid using the fullname parameter in the ViewProfile page and the returnUrl parameter in forms until a patch is available.