According to its self-reported version number, the Atlassian Jira Service Management application running on the remote host is prior to version 4.21.0. It is, therefore, affected by multiple vulnerabilities:
A flaw which permits authenticated remote attackers to view the names of private objects via an Improper Authorization vulnerability in the “Move objects” feature (CVE-2021-43948).
A flaw which permits authenticated remote attackers to view private objects via a Broken Access Control vulnerability in the Custom Fields feature (CVE-2021-43949).
A flaw which permits authenticated remote attackers to view import source configuration information via a Broken Access Control vulnerability in the Insight Import Source feature (CVE-2021-43950).
A flaw which permits authenticated remote attackers to view object import configuration details via an Information Disclosure vulnerability in the Create Object type mapping feature (CVE-2021-43951).
A vulnerability which permits authenticated remote attackers with administrator privileges to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the “Object Schema” field of /secure/admin/InsightDefaultCustomFieldConfig.jspa (CVE-2021-43943).
Note that the scanner has not tested for these issues but has instead relied only on the application’s self-reported version number.
No source data
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43943
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43948
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43949
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43950
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43951
jira.atlassian.com/browse/JSDSERVER-10980
jira.atlassian.com/browse/JSDSERVER-10981
jira.atlassian.com/browse/JSDSERVER-10982
jira.atlassian.com/browse/JSDSERVER-10983
jira.atlassian.com/browse/JSDSERVER-10984