CVE-2025-67824

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-67824
The WorklogPRO - Jira Timesheets plugin in the Jira Data Center before 4.24.2-jira9, 4.24.2-jira10 and 4.24.2-jira11 allows attackers to inject arbitrary HTML or JavaScript via XSS. This is exploited via a crafted payload placed in the name of a filter. This code is executed in the browser when the user attempts to create a timesheet with the filter timesheet type on the custom timesheet dialog because the filter name is not properly sanitized during the action.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://marketplace.atlassian.com/apps/1212626/worklogpro-timesheets-for-jira/version-history
https://thestarware.atlassian.net/wiki/x/CAAdyg
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) El plugin WorklogPRO - Jira Timesheets en el Jira Data Center antes de 4.24.2-jira9, 4.24.2-jira10 y 4.24.2-jira11 permite a los atacantes inyectar HTML o JavaScript arbitrario a través de XSS. Esto se explota a través de una carga útil manipulada colocada en el nombre de un filtro. Este código se ejecuta en el navegador cuando el usuario intenta crear una hoja de horas con el tipo de hoja de horas de filtro en el diálogo de hoja de horas personalizada porque el nombre del filtro no se sanea correctamente durante la acción.

23 Jan 2026, 19:15

Type Values Removed Values Added
References
  • {'url': 'https://thestarware.atlassian.net/wiki/spaces/WLP/pages/3326574597/Security+Advisory+CVE-2025-57681+-+Stored+XSS+in+WorklogPRO+DC', 'source': 'cve@mitre.org'}

21 Jan 2026, 17:16

Type Values Removed Values Added
CWE CWE-79
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.1

21 Jan 2026, 08:15

Type Values Removed Values Added
Summary (en) The WorklogPRO - Jira Timesheets plugin in the Jira Data Center before 4.24.1-jira9, 4.24.1-jira10, and 4.24.1-jira11 allows attackers to inject arbitrary HTML or JavaScript via XSS. This is exploited via a crafted payload placed in the name of a filter. This code is executed in the browser when the user attempts to create a timesheet with the filter timesheet type on the custom timesheet dialog because the filter name is not properly sanitized during the action. (en) The WorklogPRO - Jira Timesheets plugin in the Jira Data Center before 4.24.2-jira9, 4.24.2-jira10 and 4.24.2-jira11 allows attackers to inject arbitrary HTML or JavaScript via XSS. This is exploited via a crafted payload placed in the name of a filter. This code is executed in the browser when the user attempts to create a timesheet with the filter timesheet type on the custom timesheet dialog because the filter name is not properly sanitized during the action.
References
  • () https://thestarware.atlassian.net/wiki/x/CAAdyg -

20 Jan 2026, 16:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-01-20 16:16

Updated : 2026-04-15 00:35

NVD link : CVE-2025-67824

Mitre link : CVE-2025-67824

CVE.ORG link : CVE-2025-67824

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')