Atlassian Partner, Wellington - Security Vulnerability Affecting User Management

The following apps have been discovered to be vulnerable to a stored cross-site scripting vulnerability on the Bulk User Actions page.

  • User Management for Jira
  • User Management for Confluence
  • User Management for Bitbucket

This affects the following versions:

  • User Management for Jira: 2.0.0 - 2.17.1
  • User Management for Confluence: 2.0.0 - 2.15.24
  • User Management for Bitbucket: 2.2.2 - 2.15.24

These vulnerabilities have been assessed to have a CVSS v3 impact of 7.5 (High) https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Please note: this is an independent assessment and you should evaluate its applicability to your own IT environment. 

This issue has been assigned the CVE number: CVE-2023-36662

Recommended Actions:

We recommend that you upgrade to a fixed version as soon as possible to ensure that you are not affected.

If you are not able to upgrade to a fixed version, please consider disabling the app until you can, or contact us directly at support@techtime.co.nz

Base Product

Base Product Version Range

Fixed Version

JiraJira 7.0.0 - 7.1.10User Management for Jira v2.12.5
JiraJira 7.2.0 - 7.13.8User Management for Jira v2.16.2
JiraJira 8.0.0.m0021 - 9.9.0 (or latest)User Management for Jira v2.17.2
ConfluenceConfluence 5.10.0 - 6.12.4User Management for Confluence v2.5.7
ConfluenceConfluence 6.10.0 - 6.15.10User Management for Confluence v2.14.25
ConfluenceConfluence 7.0.1 - 8.2.3 (or latest)User Management for Confluence v2.15.25
BitbucketBitbucket 4.0.0 - 5.10.4User Management for Bitbucket v2.7.1.2
BitbucketBitbucket 5.11.0 - 6.10.17User Management for Bitbucket v2.14.21
BitbucketBitbucket 7.0.0 - 8.11.0 (or latest)User Management for Bitbucket v2.15.23


TechTime would like to acknowledge and thank Carl Nykvist for discovering and reporting these vulnerabilities.

If you have further issues or need to speak to support 

Contact Support