CVE-2021-39117: 
JIRA vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Atlassian Jira Server and Data Center versions 8.15.0 through 8.17.0. The vulnerability, identified as CVE-2021-39117, was introduced in version 8.15.0 and affects the Custom Fields creation feature on the AssociateFieldToScreens page. The issue was discovered in July 2021 and fixed in version 8.18.0 (Jira Advisory).

The vulnerability allows remote attackers to inject arbitrary HTML or JavaScript through the name of a custom field in the AssociateFieldToScreens page. The severity of this vulnerability has been assessed with a CVSS v3.1 Base Score of 4.8 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability could allow attackers to execute arbitrary HTML or JavaScript code in the context of other users' browsers who access the affected pages. This could potentially lead to unauthorized access to sensitive information and manipulation of user sessions (NVD).

The vulnerability has been fixed in Atlassian Jira Server and Data Center version 8.18.0. Users running affected versions (8.15.0 to 8.17.0) should upgrade to version 8.18.0 or later to mitigate this security risk (Jira Advisory).