Vulnerability Details : CVE-2010-1164
Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA 3.12 through 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) element or (2) defaultColor parameter to the Colour Picker page; the (3) formName parameter, (4) element parameter, or (5) full name field to the User Picker page; the (6) formName parameter, (7) element parameter, or (8) group name field to the Group Picker page; the (9) announcement_preview_banner_st parameter to unspecified components, related to the Announcement Banner Preview page; unspecified vectors involving the (10) groupnames.jsp, (11) indexbrowser.jsp, (12) classpath-debug.jsp, (13) viewdocument.jsp, or (14) cleancommentspam.jsp page; the (15) portletKey parameter to runportleterror.jsp; the (16) URI to issuelinksmall.jsp; the (17) afterURL parameter to screenshot-redirecter.jsp; or the (18) HTTP Referrer header to 500page.jsp, as exploited in the wild in April 2010.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2010-1164
- cpe:2.3:a:atlassian:jira:3.12:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:3.12.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:3.13:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:3.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:3.12.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:3.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:3.13.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:3.13.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:3.13.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:3.13.5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2010-1164
0.32%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 67 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2010-1164
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2010-1164
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2010-1164
-
http://www.securityfocus.com/bid/39485
Atlassian JIRA Privilege Escalation and Multiple Cross Site Scripting Vulnerabilities
-
http://jira.atlassian.com/browse/JRA-20994
[JRASERVER-20994] XSS Vulnerabilities in JIRA - Create and track feature requests for Atlassian products.Vendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/57826
Atlassian JIRA groupnames cross-site scripting CVE-2010-1164 Vulnerability Report
-
http://jira.atlassian.com/browse/JRA-21004
[JRASERVER-21004] XSS and Privilege Escalation Vulnerabilities in JIRA - Create and track feature requests for Atlassian products.Patch;Vendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/57827
Atlassian JIRA element cross-site scripting undefined Vulnerability Report
-
http://www.openwall.com/lists/oss-security/2010/04/16/4
oss-security - Re: CVE Request: JIRA Issues
-
http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16
JIRA Security Advisory 2010-04-16 - Atlassian DocumentationPatch;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2010/04/16/3
oss-security - CVE Request: JIRA Issues
Jump to