CVE-2010-1164 (GCVE-0-2010-1164)
Vulnerability from cvelistv5
Published
2010-04-20 15:00
Modified
2024-08-07 01:14
Severity ?
CWE
  • n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA 3.12 through 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) element or (2) defaultColor parameter to the Colour Picker page; the (3) formName parameter, (4) element parameter, or (5) full name field to the User Picker page; the (6) formName parameter, (7) element parameter, or (8) group name field to the Group Picker page; the (9) announcement_preview_banner_st parameter to unspecified components, related to the Announcement Banner Preview page; unspecified vectors involving the (10) groupnames.jsp, (11) indexbrowser.jsp, (12) classpath-debug.jsp, (13) viewdocument.jsp, or (14) cleancommentspam.jsp page; the (15) portletKey parameter to runportleterror.jsp; the (16) URI to issuelinksmall.jsp; the (17) afterURL parameter to screenshot-redirecter.jsp; or the (18) HTTP Referrer header to 500page.jsp, as exploited in the wild in April 2010.
References
secalert@redhat.com http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16 Patch, Vendor Advisory
secalert@redhat.com http://jira.atlassian.com/browse/JRA-20994 Vendor Advisory
secalert@redhat.com http://jira.atlassian.com/browse/JRA-21004 Patch, Vendor Advisory
secalert@redhat.com http://secunia.com/advisories/39353 Vendor Advisory
secalert@redhat.com http://www.openwall.com/lists/oss-security/2010/04/16/3
secalert@redhat.com http://www.openwall.com/lists/oss-security/2010/04/16/4
secalert@redhat.com http://www.securityfocus.com/bid/39485
secalert@redhat.com https://exchange.xforce.ibmcloud.com/vulnerabilities/57826
secalert@redhat.com https://exchange.xforce.ibmcloud.com/vulnerabilities/57827
af854a3a-2127-422b-91ae-364da2661108 http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16 Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108 http://jira.atlassian.com/browse/JRA-20994 Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108 http://jira.atlassian.com/browse/JRA-21004 Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108 http://secunia.com/advisories/39353 Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2010/04/16/3
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2010/04/16/4
af854a3a-2127-422b-91ae-364da2661108 http://www.securityfocus.com/bid/39485
af854a3a-2127-422b-91ae-364da2661108 https://exchange.xforce.ibmcloud.com/vulnerabilities/57826
af854a3a-2127-422b-91ae-364da2661108 https://exchange.xforce.ibmcloud.com/vulnerabilities/57827
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T01:14:06.535Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "jira-element-xss(57827)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57827"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://jira.atlassian.com/browse/JRA-20994"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16"
          },
          {
            "name": "jira-groupnames-xss(57826)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57826"
          },
          {
            "name": "[oss-security] 20100416 CVE Request: JIRA Issues",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2010/04/16/3"
          },
          {
            "name": "[oss-security] 20100416 Re: CVE Request: JIRA Issues",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2010/04/16/4"
          },
          {
            "name": "39353",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/39353"
          },
          {
            "name": "39485",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/39485"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://jira.atlassian.com/browse/JRA-21004"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2010-04-16T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA 3.12 through 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) element or (2) defaultColor parameter to the Colour Picker page; the (3) formName parameter, (4) element parameter, or (5) full name field to the User Picker page; the (6) formName parameter, (7) element parameter, or (8) group name field to the Group Picker page; the (9) announcement_preview_banner_st parameter to unspecified components, related to the Announcement Banner Preview page; unspecified vectors involving the (10) groupnames.jsp, (11) indexbrowser.jsp, (12) classpath-debug.jsp, (13) viewdocument.jsp, or (14) cleancommentspam.jsp page; the (15) portletKey parameter to runportleterror.jsp; the (16) URI to issuelinksmall.jsp; the (17) afterURL parameter to screenshot-redirecter.jsp; or the (18) HTTP Referrer header to 500page.jsp, as exploited in the wild in April 2010."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-16T14:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "jira-element-xss(57827)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57827"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://jira.atlassian.com/browse/JRA-20994"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16"
        },
        {
          "name": "jira-groupnames-xss(57826)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57826"
        },
        {
          "name": "[oss-security] 20100416 CVE Request: JIRA Issues",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2010/04/16/3"
        },
        {
          "name": "[oss-security] 20100416 Re: CVE Request: JIRA Issues",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2010/04/16/4"
        },
        {
          "name": "39353",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/39353"
        },
        {
          "name": "39485",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/39485"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://jira.atlassian.com/browse/JRA-21004"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2010-1164",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA 3.12 through 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) element or (2) defaultColor parameter to the Colour Picker page; the (3) formName parameter, (4) element parameter, or (5) full name field to the User Picker page; the (6) formName parameter, (7) element parameter, or (8) group name field to the Group Picker page; the (9) announcement_preview_banner_st parameter to unspecified components, related to the Announcement Banner Preview page; unspecified vectors involving the (10) groupnames.jsp, (11) indexbrowser.jsp, (12) classpath-debug.jsp, (13) viewdocument.jsp, or (14) cleancommentspam.jsp page; the (15) portletKey parameter to runportleterror.jsp; the (16) URI to issuelinksmall.jsp; the (17) afterURL parameter to screenshot-redirecter.jsp; or the (18) HTTP Referrer header to 500page.jsp, as exploited in the wild in April 2010."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "jira-element-xss(57827)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57827"
            },
            {
              "name": "http://jira.atlassian.com/browse/JRA-20994",
              "refsource": "CONFIRM",
              "url": "http://jira.atlassian.com/browse/JRA-20994"
            },
            {
              "name": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16",
              "refsource": "CONFIRM",
              "url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16"
            },
            {
              "name": "jira-groupnames-xss(57826)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/57826"
            },
            {
              "name": "[oss-security] 20100416 CVE Request: JIRA Issues",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2010/04/16/3"
            },
            {
              "name": "[oss-security] 20100416 Re: CVE Request: JIRA Issues",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2010/04/16/4"
            },
            {
              "name": "39353",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/39353"
            },
            {
              "name": "39485",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/39485"
            },
            {
              "name": "http://jira.atlassian.com/browse/JRA-21004",
              "refsource": "CONFIRM",
              "url": "http://jira.atlassian.com/browse/JRA-21004"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2010-1164",
    "datePublished": "2010-04-20T15:00:00",
    "dateReserved": "2010-03-29T00:00:00",
    "dateUpdated": "2024-08-07T01:14:06.535Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2010-1164\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2010-04-20T15:30:00.507\",\"lastModified\":\"2025-04-11T00:51:21.963\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA 3.12 through 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) element or (2) defaultColor parameter to the Colour Picker page; the (3) formName parameter, (4) element parameter, or (5) full name field to the User Picker page; the (6) formName parameter, (7) element parameter, or (8) group name field to the Group Picker page; the (9) announcement_preview_banner_st parameter to unspecified components, related to the Announcement Banner Preview page; unspecified vectors involving the (10) groupnames.jsp, (11) indexbrowser.jsp, (12) classpath-debug.jsp, (13) viewdocument.jsp, or (14) cleancommentspam.jsp page; the (15) portletKey parameter to runportleterror.jsp; the (16) URI to issuelinksmall.jsp; the (17) afterURL parameter to screenshot-redirecter.jsp; or the (18) HTTP Referrer header to 500page.jsp, as exploited in the wild in April 2010.\"},{\"lang\":\"es\",\"value\":\"M\u00faltiples vulnerabilidades de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en Atlassian JIRA v3.12 hasta la v4.1. Permiten a usuarios remotos inyectar codigo de script web o c\u00f3digo HTML de su elecci\u00f3n a trav\u00e9s de el par\u00e1metro (1) \\\"element\\\" (elemento) o (2) \\\"defaultColor\\\" (color por defecto) a la p\u00e1gina de \\\"Colour Picker\\\" (selecci\u00f3n de colores); el (3) par\u00e1metro \\\"formName\\\", (4) par\u00e1metro \\\"element\\\", o (5) campo \\\"full name\\\" (nombre completo) a la p\u00e1gina \\\"User Picker\\\" (selecci\u00f3n de usuario); el (6) par\u00e1metro formName, (7) par\u00e1metro \\\"element\\\", o (8) campo \\\"group name\\\" (nombre de grupo) a la p\u00e1gina \\\"Group Picker\\\" (selecci\u00f3n de grupo); el (9) par\u00e1metro announcement_preview_banner_st de componentes sin especificar, relacionados con la p\u00e1gina \\\"Announcement Banner Preview\\\" (vista previa de anuncio); vectores sin especificar relacionados con las p\u00e1ginas (10) groupnames.jsp, (11) indexbrowser.jsp, (12) classpath-debug.jsp, (13) viewdocument.jsp, o (14) cleancommentspam.jsp; el (15) par\u00e1metro portletKey de runportleterror.jsp; la (16) URI de issuelinksmall.jsp; el (17) par\u00e1metro afterURL de screenshot-redirecter.jsp; o la (18) cabecera HTTP Referrer de 500page.jsp, tal como se ha explotado activamente en Abril del 2010.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira:3.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEA72E9E-ED89-4CD1-AF2F-3C2060E115FE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira:3.12.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"67D2DF18-C072-47EF-9F99-3FBC3BD0B46A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira:3.12.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"618C3DD0-2AE2-4188-8BC2-69365594ADA0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira:3.12.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"49E76A26-4A32-4D17-AE09-DAA99AAA49D7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira:3.13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"59835FFB-BB1C-4403-9CEC-DFC31F1A4D10\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira:3.13.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FAD7160D-BB0D-433A-8C7B-83BC311F53A8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira:3.13.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"74F52C0A-6567-4466-A20C-9BC457E56592\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira:3.13.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"547EF015-960F-43DB-8985-8BE65B14230A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira:3.13.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4931F747-FA7D-42BF-B71F-277EE38A29C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira:3.13.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"856597BE-1407-4587-B591-BD8B5B097B8A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira:4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6039B692-0E90-428E-B953-D1F21AC48575\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira:4.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EEED2354-51E8-4BF0-A07E-C70E14A8D79A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira:4.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"86E22F6B-1CB8-4BAA-85EE-9B5FC4FD7635\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira:4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1B07F838-5D36-4CEB-9579-3AB8BD67CCB6\"}]}]}],\"references\":[{\"url\":\"http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://jira.atlassian.com/browse/JRA-20994\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://jira.atlassian.com/browse/JRA-21004\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/39353\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2010/04/16/3\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2010/04/16/4\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/bid/39485\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/57826\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/57827\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://jira.atlassian.com/browse/JRA-20994\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://jira.atlassian.com/browse/JRA-21004\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/39353\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2010/04/16/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2010/04/16/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/39485\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/57826\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/57827\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.