CVE-2021-39111
6.1 MEDIUMThe Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 befo...
Published: 2021-08-30 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 6.1 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- CWE
- CWE-79
Affected products
| Vendor | Product |
|---|---|
| atlassian | data_center, jira, jira_data_center |
Description
The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the handling of supplied content such as from a PDF when pasted into a field such as the description field.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-39111
- [Vendor advisory]https://jira.atlassian.com/browse/JRASERVER-72716
- [Vendor advisory]https://jira.atlassian.com/browse/JRASERVER-72716
Related CVEs
Same vendor
- CVE-2021-41312 — Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Man... (7.5 HIGH)
- CVE-2021-41310 — Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a ... (6.1 MEDIUM)
- CVE-2021-41313 — Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configu... (4.3 MEDIUM)
- CVE-2021-41308 — Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Re... (6.5 MEDIUM)
- CVE-2021-41307 — Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects a... (7.5 HIGH)
Same CWE
- CVE-2026-12425 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access ...
- CVE-2024-30476 — PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager (5.4 MEDIUM)
- CVE-2026-54198 — Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions (7.1 HIGH)
- CVE-2026-54191 — Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions (7.1 HIGH)
- CVE-2026-39437 — Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions (7.1 HIGH)