CVE-2012-1500: 
JIRA vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in JIRA 4.4.3 and GreenHopper versions before 5.9.8. The vulnerability, identified as CVE-2012-1500, was reported on March 7, 2012, and resolved on August 22, 2012. The vulnerability affected the UpdateFieldJson.jspa component in JIRA 4.4.3 and GreenHopper, allowing attackers to inject arbitrary script code (CloudScan Blog, NVD).

The vulnerability was classified as a stored XSS vulnerability (CWE-79) with a CVSS v3.1 base score of 5.4 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The CVSS v2.0 score was rated at 3.5 (LOW) with vector (AV:N/AC:M/Au:S/C:N/I:P/A:N). The vulnerability specifically affected the UpdateFieldJson.jspa component, where input validation was insufficient to prevent stored XSS attacks (NVD).

When successfully exploited, the vulnerability allowed attackers to inject and store malicious script code that would execute when other users accessed the affected pages. This could lead to the theft of user credentials, including usernames, passwords, and session cookies, potentially giving attackers control over the JIRA issue tracker and connected systems (CloudScan Blog, Exploit DB).

The vulnerability was resolved with the release of GreenHopper version 5.9.8. Users were advised to upgrade to this version or later to protect against this vulnerability (NVD).

The security research community acknowledged the severity of the vulnerability, and a security researcher was awarded 1250 Euros through the XSS.Cx Vulnerability Rewards Program for discovering and reporting this vulnerability (CloudScan Blog).