Email This Issue Security Advisory 2025-06-30
Possible XSS attack via email addresses of processed messages
Overview
Summary
A vulnerability has been discovered affecting the Email Audit Log feature in all versions of the app incl. and prior to 9.12.0-GA. It allows the attacker to inject a persistent cross-site scripting method, which allows the individual to exploit the vulnerability.
Discoverer
Antonio Kulhanek (Migros-Genossenschafts-Bund)
CVSS score
8.8
Advisory release date
2025-06-30
About the vulnerability
Components affected
A cross-site scripting (XSS) vulnerability in Email This Issue version 9.12.0-GA and prior allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the recipient field of an e-mail message (where one or more valid email addresses are expected) being processed by the application and then displayed on the Emails tab on a Jira issue screen (that lists the corresponding email audit log items).
Attack vectors and attack simulation
The attacker has to create a well-crafted email address, containing a malicious script in its local part (resulting in a well-formed, valid email -> sample payload: "xss-test.<script>alert('Hacked!')</script>"@domain.tld). After that, this email address must be used as a recipient (as an addressee, i.e. one of the TO, CC, BCC fields) of an email message sent to a mailbox that is configured as an Incoming Connection in the Email This Issue application. In addition to that, a Mail Handler shall be also configured for this Incoming Connection in order to have the message processed by the application and get a Jira issue created for it. Finally, the malicious script will be executed when navigating to the Emails tab of the corresponding Jira issue (as seen below).
Remediation
We've added the sanitization of email addresses to the scope of data to be neutralized against such threats.
Please upgrade to version 9.13.0-GA or higher in order to have the fix included in your product.
Last updated
Was this helpful?