The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check.

According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is 7.12.x prior to 7.13.2 or 8.0.0 prior to 8.0.2. It is, therefore, affected by a vulnerability which permits remote attackers to see information for archived projects through a missing authorisation check.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the instance of Atlassian JIRA hosted on the remote web server is prior to 7.13.2 or 8.0.x prior to 8.0.2. It is, therefore, affected by multiple vulnerabilities:
  - An information disclosure vulnerability exists in Jira's BrowserProjects.jspa component. An unauthenticated, remote     attacker can exploit this, by sending crafted HTTP requests, to disclose information about archived projects     (CVE-2019-3399).

  - A cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input before     returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a     specially crafted URL, to execute arbitrary script code in a user's browser session (CVE-2019-3400).

ID	Name	Product	Family	Severity
113787	Atlassian Jira 8.0.0 < 8.0.2 Information Disclosure In Browseprojects.jspa Resource	Web App Scanning	Component Vulnerability	high
113786	Atlassian Jira 7.12 < 7.13.2 Information Disclosure In Browseprojects.jspa Resource	Web App Scanning	Component Vulnerability	high
124772	Atlassian JIRA Multiple Vulnerabilities (JRASERVER-69245) (JRASERVER-69246)	Nessus	CGI abuses	high

Detections

Analytics

CVE-2019-3399

high

Tenable Plugins

high

high

high