The following apps have been discovered to be vulnerable to a stored cross-site scripting vulnerability on the Bulk User Actions page.
- User Management for Jira
- User Management for Confluence
- User Management for Bitbucket
This affects the following versions:
- User Management for Jira: 2.0.0 - 2.17.1
- User Management for Confluence: 2.0.0 - 2.15.24
- User Management for Bitbucket: 2.2.2 - 2.15.24
These vulnerabilities have been assessed to have a CVSS v3 impact of 7.5 (High) https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
Please note: this is an independent assessment and you should evaluate its applicability to your own IT environment.
This issue has been assigned the CVE number: CVE-2023-36662
Recommended Actions:
We recommend that you upgrade to a fixed version as soon as possible to ensure that you are not affected.
If you are not able to upgrade to a fixed version, please consider disabling the app until you can, or contact us directly at support@techtime.co.nz
Base Product | Base Product Version Range | Fixed Version |
|---|---|---|
| Jira | Jira 7.0.0 - 7.1.10 | User Management for Jira v2.12.5 |
| Jira | Jira 7.2.0 - 7.13.8 | User Management for Jira v2.16.2 |
| Jira | Jira 8.0.0.m0021 - 9.9.0 (or latest) | User Management for Jira v2.17.2 |
| Confluence | Confluence 5.10.0 - 6.12.4 | User Management for Confluence v2.5.7 |
| Confluence | Confluence 6.10.0 - 6.15.10 | User Management for Confluence v2.14.25 |
| Confluence | Confluence 7.0.1 - 8.2.3 (or latest) | User Management for Confluence v2.15.25 |
| Bitbucket | Bitbucket 4.0.0 - 5.10.4 | User Management for Bitbucket v2.7.1.2 |
| Bitbucket | Bitbucket 5.11.0 - 6.10.17 | User Management for Bitbucket v2.14.21 |
| Bitbucket | Bitbucket 7.0.0 - 8.11.0 (or latest) | User Management for Bitbucket v2.15.23 |
TechTime would like to acknowledge and thank Carl Nykvist for discovering and reporting these vulnerabilities.