CVE-2018-13387

Name of the Vulnerable Software and Affected Versions Atlassian JIRA Server versions prior to 7.6.7 Atlassian JIRA Server versions 7.7.0 through 7.7.5 Atlassian JIRA Server versions 7.8.0 through 7.8.5 Atlassian JIRA Server versions 7.9.0 through 7.9.3 Atlassian JIRA Server versions 7.10.0 through 7.10.2

Description The issue allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter. This is due to an incomplete fix for a previous issue.

Recommendations For versions prior to 7.6.7, update to version 7.6.7 or later. For versions 7.7.0 through 7.7.5, update to version 7.7.5 or later. For versions 7.8.0 through 7.8.5, update to version 7.8.5 or later. For versions 7.9.0 through 7.9.3, update to version 7.9.3 or later. For versions 7.10.0 through 7.10.2, update to version 7.10.2 or later. As a temporary workaround, consider restricting access to the IncomingMailServers resource until a patch is available. Avoid using the messagesThreshold parameter in affected API endpoints until the issue is resolved.