2021-02-25 Time in Status for Jira Server and Data Center Security Advisory

A vulnerability discovered in Time in Status allows an attacker to run JavaScript code on your Jira pages.

Time in Status Server

Time in Status Data Center

All versions before 4.13.0

A vulnerability in Time in Status version 4.12.0 and earlier versions may allow an attacker to execute custom Javascript code on your Jira pages.

• In order to exploit this vulnerability, the attacker must already have a valid user on Jira. Attackers without a valid Jira login cannot exploit this vulnerability.

If you have questions, you can reach OBSS support team through htttps://pluginsupport.obss.com.tr/ or by sending an e-mail to plugin@obss.com.tr

• I am using Jira Cloud. Do I need to do anything?
  • No, this vulnerability only affects Jira Server and Data Center. Jira Cloud users don't need to do anything.
• Does this vulnerability affect other parts of Jira?
  • No, the vulnerability is Time in Status specific and can only be exploited through Time in Status pages and frames. Other parts of Jira are not affected.
• I am already using Time in Status 4.13.0 or above. Do I need to do anything?
  • Using the latest version of the app is always recommended but customers using Time in Status 4.13.0 or above are already working on a fixed version. They don't need to upgrade for security purposes.
• Is it possible to detect if this vulnerability is exploited in the past?
  • No, there is no way to detect if this vulnerability is exploited by an attacker.
• I've installed Time in Status in the past but currently it is not installed/enabled on my Jira. Do I need to do anything?
  • No, this vulnerability does not leave a permanent mark on your system. If you don't have Time in Status on your system now, you don't have to do anything.
• I've the evaluation version of Time in Status. Is my system affected too?
  • Yes, this vulnerability is not related to the installed license. Both evaluations and paid versions are affected.
• My Jira version is not supported by the latest version of Time in Status. What should I do?
  • Time in Status currently supports all Jira versions that are supported by Atlassian. You are recommended to upgrade your Jira to a version that is supported by Atlassian and then upgrade Time in Status.