CVE-2025-67824 Overview
CVE-2025-67824 is a stored cross-site scripting (XSS) vulnerability in the WorklogPRO - Jira Timesheets plugin for Jira Data Center. The flaw exists in versions prior to 4.24.2-jira9, 4.24.2-jira10, and 4.24.2-jira11. Attackers inject arbitrary HTML or JavaScript by placing a crafted payload in the name of a Jira filter. The payload executes in the victim's browser when the user creates a timesheet using the filter timesheet type on the custom timesheet dialog. The plugin fails to sanitize the filter name during this action, classifying the issue under [CWE-79].
Critical Impact
Authenticated attackers execute arbitrary JavaScript in another user's browser session, enabling session hijacking, credential theft, and unauthorized Jira actions performed as the victim.
Affected Products
- WorklogPRO - Jira Timesheets plugin before 4.24.2-jira9
- WorklogPRO - Jira Timesheets plugin before 4.24.2-jira10
- WorklogPRO - Jira Timesheets plugin before 4.24.2-jira11
Discovery Timeline
- 2026-01-20 - CVE-2025-67824 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-67824
Vulnerability Analysis
The WorklogPRO - Jira Timesheets plugin extends Atlassian Jira Data Center with timesheet management functions. The plugin allows users to construct custom timesheets from existing Jira filters. When a user opens the custom timesheet dialog and selects the filter timesheet type, the application renders the filter's name in the rendered output without applying HTML or JavaScript encoding. Any user with permission to create or modify a Jira filter can therefore embed malicious markup in the filter name. The payload triggers when another user opens the custom timesheet dialog and references the malicious filter.
Root Cause
The root cause is missing output encoding on user-controlled filter name values during dialog rendering. The plugin treats the filter name as trusted markup rather than as untrusted text. This violates the standard mitigation guidance for [CWE-79] and is exacerbated because filter names are shared across users and projects in Jira Data Center.
Attack Vector
An attacker creates or renames a Jira filter using a payload such as an HTML <script> tag, <img onerror=...>, or event-handler attribute embedded in the filter name. The attacker then shares the filter with target users or relies on filters that are already discoverable. When a victim opens the custom timesheet dialog and selects the filter timesheet type, the malicious filter name renders in the DOM and executes. Exploitation requires user interaction, but the cross-context scope means the script runs with the victim's Jira session privileges.
No verified public proof-of-concept code is available. See the Atlassian Wiki Documentation for vendor technical details.
Detection Methods for CVE-2025-67824
Indicators of Compromise
- Jira filter names containing HTML tags, JavaScript event handlers such as onerror, onload, or onclick, or javascript: URIs.
- Unexpected outbound HTTP requests from user browsers to attacker-controlled domains shortly after opening the WorklogPRO custom timesheet dialog.
- Jira audit log entries showing filter creation or rename actions by low-privilege accounts followed by access from administrators.
Detection Strategies
- Query the Jira database or REST API for filter names matching XSS pattern signatures, including angle brackets, script, and inline event handlers.
- Inspect WorklogPRO custom timesheet dialog responses for unescaped filter names rendered into HTML contexts.
- Correlate filter modification events with subsequent privileged session activity in the Jira audit log.
Monitoring Recommendations
- Enable browser-side Content Security Policy (CSP) reporting to identify inline script execution attempts on Jira pages.
- Monitor Jira audit logs for filter creation and rename events, alerting on names containing HTML metacharacters.
- Track WorklogPRO plugin version inventory across Jira Data Center nodes to confirm patched builds are deployed.
How to Mitigate CVE-2025-67824
Immediate Actions Required
- Upgrade the WorklogPRO - Jira Timesheets plugin to 4.24.2-jira9, 4.24.2-jira10, or 4.24.2-jira11 matching the underlying Jira major version.
- Audit all existing Jira filter names and rename or delete any containing HTML or JavaScript syntax before upgrade.
- Review Jira audit logs for filter modifications made by accounts that do not normally manage filters.
Patch Information
Thestarware released fixed versions 4.24.2-jira9, 4.24.2-jira10, and 4.24.2-jira11 of the WorklogPRO - Jira Timesheets plugin. Administrators should install the build that matches their Jira Data Center major version (Jira 9, 10, or 11). Refer to the Atlassian Jira App Version History for release notes and download links.
Workarounds
- Restrict filter creation and edit permissions to trusted administrators until the plugin is patched.
- Disable the WorklogPRO plugin or block access to the custom timesheet dialog if upgrade cannot be performed immediately.
- Deploy a strict Content Security Policy on the Jira Data Center instance to limit inline script execution as a defense-in-depth control.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
