Security Advisory (Medium) - 10th May 2021

This advisory discloses a medium severity security vulnerability in the ActionableAgile for Jira plugin for Server and Data Center instances. All versions of this plugin up to and including 3.9.3.1 are affected by this vulnerability.

If you do have this plugin installed in your server or data center instances, upgrade your installations to version 3.9.4 at your earliest convenience to fix this vulnerability. Please note that this does NOT affect any Jira cloud instances.

XSS vulnerability in ActionableAgile for Jira

Severity

We rate the severity level of this vulnerability as medium, according to the scale published in Atlassian’s severity levels. The scale allows us to rank the severity as critical, high, medium, or low and is based on the CVSS vulnerability metric. You can learn more about CVSS at FIRST.org.

This is our assessment, and you should evaluate its applicability to your own IT environment.

Description

There is a cross-site-scripting (XSS) vulnerability affecting the ActionableAgile for Jira (Server or Data Center) plugin. XSS vulnerabilities allow an attacker to embed their own JavaScript into a page.

This vulnerability affects all versions up to and including 3.9.3.1. 

Acknowledgements

Thanks to visat for finding and reporting this vulnerability via our Bug Bounty program hosted through BugCrowd.

Fix

We have taken the following steps to address this issue:

Released version 3.9.4 that contains a fix for this issue.

What You Need to Do

Check whether your Jira server/DC instance has the vulnerable plugin installed or not. To do this, go to your applications and search for “ActionableAgile for Jira” plugin. If it is installed, check the version. If the version is less than 3.9.4, then the instance is vulnerable.

Upgrade to the latest version. Details on how to update apps can be found here.

Support

If you have questions or concerns regarding this advisory, please raise a support request via our support desk.

Last modified on May 10, 2021