Talos Vulnerability Report


Atlassian Jira WikiRenderer parser XSS vulnerability

September 16, 2019
CVE Number



An exploitable XSS vulnerability exists in the WikiRenderer functionality of Atlassian Jira, from version 7.6.4 to 8.1.0. A specially crafted comment can cause a persistent XSS. An attacker can create a comment or worklog entry to trigger this vulnerability.

Tested Versions

Atlassian Jira 7.6.4 Atlassian Jira 7.7.0 Atlassian Jira 8.1.0

Product URLs


CVSSv3 Score

7.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L


CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)


Parsing of comments or worklogs that use the wikirenderer are susceptible to malformed input which will result in a persistent XSS. The renderer markup format supports setting attributes for embedded images, with an attr=val format. The renderer also supports parsing URLs to create links in the rendered output. However, the renderer also creates URLs for image attributes that have a value starting with http:. Combining these two behaviors allows for creating malformed HTML output. This can be leveraged to execute arbitrary JavaScript.

Exploit Proof-of-Concept

To demonstrate the issue on versions 7.6.4-7.7.0, create an issue comment with the following content:


The same issue can be demonstrated on version 8.1.0, using the following content:

!image.png|width=\" onmouseover=alert(42);//!


2019-05-14 - Vendor disclosure
2019-09-09 - Vendor patched
2019-09-12 - Public release


Discovered by Ben Taylor of Cisco ASIG.