# Email This Issue Security Advisory 2025-06-30 ## Overview | Attribute | Value | Notes | | --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | | Summary | A [vulnerability](https://owasp.org/www-community/attacks/xss/) has been discovered affecting the [Email Audit Log](https://docs.meta-inf.hu/email-this-issue/email-this-issue-for-jira-server-data-center/documentation/administration/email-audit-log) feature in all versions of the app incl. and prior to 9.12.0-GA. It allows the attacker to inject a persistent cross-site scripting method, which allows the individual to exploit the vulnerability. | | | Discoverer | Antonio Kulhanek (Migros-Genossenschafts-Bund) | | | References |

CWE-79

CAPEC-592

| | | CVSS score | 8.8 | | | Advisory release date | 2025-06-30 | | | Affected versions | All versions before 9.13.0 | [Version history](https://marketplace.atlassian.com/apps/4977/email-this-issue/version-history) | | Fixed version | 9.13.0 | [Download version](https://marketplace.atlassian.com/download/apps/4977/version/1006141) | ## About the vulnerability ### Components affected A cross-site scripting (XSS) vulnerability in Email This Issue version 9.12.0-GA and prior allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the recipient field of an e-mail message (where one or more valid email addresses are expected) being processed by the application and then displayed on the Emails tab on a Jira issue screen (that lists the corresponding email audit log items). ### Attack vectors and attack simulation The attacker has to create a well-crafted email address, containing a malicious script in its local part (resulting in a well-formed, valid email -> sample payload: `"xss-test."@domain.tld`). After that, this email address must be used as a recipient (as an addressee, i.e. one of the TO, CC, BCC fields) of an email message sent to a mailbox that is configured as an *Incoming Connection* in the *Email This Issue* application. In addition to that, a *Mail Handler* shall be also configured for this *Incoming Connection* in order to have the message processed by the application and get a Jira issue created for it. Finally, the malicious script will be executed when navigating to the [*Emails tab*](https://docs.meta-inf.hu/email-this-issue/email-this-issue-for-jira-server-data-center/documentation/administration/email-audit-log#emailauditlog-issuetab) of the corresponding Jira issue (as seen below). {% hint style="info" %} The same attack can also be executed via the [Global Email Log](https://docs.meta-inf.hu/email-this-issue/email-this-issue-for-jira-server-data-center/documentation/administration/email-audit-log#emailauditlog-globalemaillog) available from the app's Admin menu. {% endhint %}

The Emails tab showing the processed malicious email in the Jira issue's Activity panel

## Remediation We've added the sanitization of email addresses to the scope of data to be neutralized against such threats. Please upgrade to version 9.13.0-GA or higher in order to have the fix included in your product.