Security
Security
Breadcrumbs

2021-02-25 Time in Status for Jira Server and Data Center Security Advisory

Title

Security vulnerability for Time in Status

Summary

A vulnerability discovered in Time in Status allows an attacker to run JavaScript code on your Jira pages.

Security Advisory Release Date

25.02.2021

Severity

Medium

Affected Products

Time in Status Server

Time in Status Data Center

Affected Version(s)

All versions before 4.13.0

Fixed Version(s)

4.13.0

Details

A vulnerability in Time in Status version 4.12.0 and earlier versions may allow an attacker to execute custom Javascript code on your Jira pages.

  • In order to exploit this vulnerability, the attacker must already have a valid user on Jira. Attackers without a valid Jira login cannot exploit this vulnerability.

Workaround

No workaround is available.

Permanent Fix

Upgrade to Time in Status 4.13.0 or above.

What you should do

If you are using a version of Time in Status before 4.13.0, you should update your app to versin 4.13.0 or above.

Support

If you have questions, you can reach OBSS support team through htttps://pluginsupport.obss.com.tr/ or by sending an e-mail to plugin@obss.com.tr

Frequently Asked Questions (FAQ)

  • I am using Jira Cloud. Do I need to do anything?No, this vulnerability only affects Jira Server and Data Center. Jira Cloud users don't need to do anything.

  • Does this vulnerability affect other parts of Jira?No, the vulnerability is Time in Status specific and can only be exploited through Time in Status pages and frames. Other parts of Jira are not affected.

  • I am already using Time in Status 4.13.0 or above. Do I need to do anything?Using the latest version of the app is always recommended but customers using Time in Status 4.13.0 or above are already working on a fixed version. They don't need to upgrade for security purposes.

  • Is it possible to detect if this vulnerability is exploited in the past?No, there is no way to detect if this vulnerability is exploited by an attacker.

  • I've installed Time in Status in the past but currently it is not installed/enabled on my Jira. Do I need to do anything?No, this vulnerability does not leave a permanent mark on your system. If you don't have Time in Status on your system now, you don't have to do anything.

  • I've the evaluation version of Time in Status. Is my system affected too?Yes, this vulnerability is not related to the installed license. Both evaluations and paid versions are affected.

  • My Jira version is not supported by the latest version of Time in Status. What should I do?Time in Status currently supports all Jira versions that are supported by Atlassian. You are recommended to upgrade your Jira to a version that is supported by Atlassian and then upgrade Time in Status.


Unable to locate Jira server for this macro. It may be due to Application Link configuration.