N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-25v4-mcx4-hh35

EPSS Score

CWE

CWE-79

Published

9/4/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-25v4-mcx4-hh35

GHSA-25v4-mcx4-hh35: Cross-Site Scripting in atlasboard-atlassian-package

All versions of atlasboard-atlassian-package prior to 0.4.2 are vulnerable to Cross-Site Scripting (XSS). The package fails to properly sanitize user input that is rendered as HTML, which may allow attackers to execute arbitrary JavaScript in a victim's browser. This requires attackers being able to change issue summaries in Jira tickets.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-25v4-mcx4-hh35

EPSS Score

CWE

CWE-79

Published

9/4/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
atlasboard-atlassian-package	npm	>= 0.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The advisory explicitly states the root cause is failure to sanitize user input rendered as HTML, but no specific functions or file paths are disclosed in available sources. While the vulnerability clearly exists in the Jira issue summary rendering logic, the lack of accessible source code, commit diffs, or patch details makes it impossible to identify exact function names and locations with high confidence. The XSS likely occurs wherever user-controlled issue summaries are inserted into DOM without proper escaping, but this cannot be mapped to specific functions without implementation details.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* `*tl*s*o*r*-*tl*ssi*n-p**k***` prior to *.*.* *r* vuln*r**l* to *ross-Sit* S*riptin* (XSS). T** p**k*** **ils to prop*rly s*nitiz* us*r input t**t is r*n**r** *s *TML, w*i** m*y *llow *tt**k*rs to *x**ut* *r*itr*ry J*v*S*ript in * vi

Reasoning

T** **visory *xpli*itly st*t*s t** root **us* is **ilur* to s*nitiz* us*r input r*n**r** *s *TML, *ut no sp**i*i* *un*tions or *il* p*t*s *r* *is*los** in *v*il**l* sour**s. W*il* t** vuln*r**ility *l**rly *xists in t** `Jir*` issu* summ*ry r*n**rin*

N/A

Basic Information

Concerned about an active attack path?

GHSA-25v4-mcx4-hh35: Cross-Site Scripting in atlasboard-atlassian-package

Recommendation

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI