Email This Issue Security Advisory 2025-06-30

Overview

About the vulnerability

Components affected

A cross-site scripting (XSS) vulnerability in Email This Issue version 9.12.0-GA and prior allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the recipient field of an e-mail message (where one or more valid email addresses are expected) being processed by the application and then displayed on the Emails tab on a Jira issue screen (that lists the corresponding email audit log items).

Attack vectors and attack simulation

The attacker has to create a well-crafted email address, containing a malicious script in its local part (resulting in a well-formed, valid email -> sample payload: "xss-test.<script>alert('Hacked!')</script>"@domain.tld). After that, this email address must be used as a recipient (as an addressee, i.e. one of the TO, CC, BCC fields) of an email message sent to a mailbox that is configured as an Incoming Connection in the Email This Issue application. In addition to that, a Mail Handler shall be also configured for this Incoming Connection in order to have the message processed by the application and get a Jira issue created for it. Finally, the malicious script will be executed when navigating to the Emails tab of the corresponding Jira issue (as seen below).

Remediation

We've added the sanitization of email addresses to the scope of data to be neutralized against such threats.

Please upgrade to version 9.13.0-GA or higher in order to have the fix included in your product.