# Email This Issue Security Advisory 2025-06-30 ## Overview | Attribute | Value | Notes | | --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | | Summary | A [vulnerability](https://owasp.org/www-community/attacks/xss/) has been discovered affecting the [Email Audit Log](https://docs.meta-inf.hu/email-this-issue/email-this-issue-for-jira-server-data-center/documentation/administration/email-audit-log) feature in all versions of the app incl. and prior to 9.12.0-GA. It allows the attacker to inject a persistent cross-site scripting method, which allows the individual to exploit the vulnerability. | | | Discoverer | Antonio Kulhanek (Migros-Genossenschafts-Bund) | | | References |

CWE-79

CAPEC-592

| | | CVSS score | 8.8 | | | Advisory release date | 2025-06-30 | | | Affected versions | All versions before 9.13.0 | [Version history](https://marketplace.atlassian.com/apps/4977/email-this-issue/version-history) | | Fixed version | 9.13.0 | [Download version](https://marketplace.atlassian.com/download/apps/4977/version/1006141) | ## About the vulnerability ### Components affected A cross-site scripting (XSS) vulnerability in Email This Issue version 9.12.0-GA and prior allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the recipient field of an e-mail message (where one or more valid email addresses are expected) being processed by the application and then displayed on the Emails tab on a Jira issue screen (that lists the corresponding email audit log items). ### Attack vectors and attack simulation The attacker has to create a well-crafted email address, containing a malicious script in its local part (resulting in a well-formed, valid email -> sample payload: `"xss-test."@domain.tld`). After that, this email address must be used as a recipient (as an addressee, i.e. one of the TO, CC, BCC fields) of an email message sent to a mailbox that is configured as an *Incoming Connection* in the *Email This Issue* application. In addition to that, a *Mail Handler* shall be also configured for this *Incoming Connection* in order to have the message processed by the application and get a Jira issue created for it. Finally, the malicious script will be executed when navigating to the [*Emails tab*](https://docs.meta-inf.hu/email-this-issue/email-this-issue-for-jira-server-data-center/documentation/administration/email-audit-log#emailauditlog-issuetab) of the corresponding Jira issue (as seen below). {% hint style="info" %} The same attack can also be executed via the [Global Email Log](https://docs.meta-inf.hu/email-this-issue/email-this-issue-for-jira-server-data-center/documentation/administration/email-audit-log#emailauditlog-globalemaillog) available from the app's Admin menu. {% endhint %}

The Emails tab showing the processed malicious email in the Jira issue's Activity panel

## Remediation We've added the sanitization of email addresses to the scope of data to be neutralized against such threats. Please upgrade to version 9.13.0-GA or higher in order to have the fix included in your product. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.meta-inf.hu/email-this-issue/email-this-issue-for-jira-server-data-center/misc/security-advisories/email-this-issue-security-advisory-2025-06-30.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.