FKIE_CVE-2025-67824

Vulnerability from fkie_nvd - Published: 2026-01-20 16:16 - Updated: 2026-04-15 00:35
Severity
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
The WorklogPRO - Jira Timesheets plugin in the Jira Data Center before 4.24.2-jira9, 4.24.2-jira10 and 4.24.2-jira11 allows attackers to inject arbitrary HTML or JavaScript via XSS. This is exploited via a crafted payload placed in the name of a filter. This code is executed in the browser when the user attempts to create a timesheet with the filter timesheet type on the custom timesheet dialog because the filter name is not properly sanitized during the action.
References
cve@mitre.orghttps://marketplace.atlassian.com/apps/1212626/worklogpro-timesheets-for-jira/version-history
cve@mitre.orghttps://thestarware.atlassian.net/wiki/x/CAAdyg
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The WorklogPRO - Jira Timesheets plugin in the Jira Data Center before 4.24.2-jira9, 4.24.2-jira10 and 4.24.2-jira11 allows attackers to inject arbitrary HTML or JavaScript via XSS. This is exploited via a crafted payload placed in the name of a filter. This code is executed in the browser when the user attempts to create a timesheet with the filter timesheet type on the custom timesheet dialog because the filter name is not properly sanitized during the action."
    },
    {
      "lang": "es",
      "value": "El plugin WorklogPRO - Jira Timesheets en el Jira Data Center antes de 4.24.2-jira9, 4.24.2-jira10 y 4.24.2-jira11 permite a los atacantes inyectar HTML o JavaScript arbitrario a trav\u00e9s de XSS. Esto se explota a trav\u00e9s de una carga \u00fatil manipulada colocada en el nombre de un filtro. Este c\u00f3digo se ejecuta en el navegador cuando el usuario intenta crear una hoja de horas con el tipo de hoja de horas de filtro en el di\u00e1logo de hoja de horas personalizada porque el nombre del filtro no se sanea correctamente durante la acci\u00f3n."
    }
  ],
  "id": "CVE-2025-67824",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-20T16:16:06.517",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://marketplace.atlassian.com/apps/1212626/worklogpro-timesheets-for-jira/version-history"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://thestarware.atlassian.net/wiki/x/CAAdyg"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.