Summary
Two security vulnerabilities were identified in the app User Absence Planner for Jira Data Center that could allow unauthorized modification of administrative settings and the injection of malicious scripts into user-generated content. These issues have been fully resolved.
Affected Product
App: User Absence Planner for Jira Data Center
Affected Versions: All versions prior to 1.9.0
Fixed Version: 1.9.0
Vulnerability Details
1. Insufficient Permission Check on Admin Settings Endpoint
A backend endpoint intended for system administrators did not correctly verify permissions. Under specific conditions, a regular user could access the endpoint and modify administrative configuration data.
2. Stored Cross-Site Scripting (XSS) in User-provided Input Fields
User-provided input in absence fields was not fully sanitized, which could allow malicious script injection and execution in certain views.
Please note: No exploit instructions or proof-of-concept details are provided, in accordance with Atlassian’s security disclosure guidelines.
Severity
ij-solutions has assessed these vulnerabilities as High severity based on potential impact and Atlassian’s guidance.
Remediation
All customers should upgrade to version 1.9.0 or later as soon as possible.
Version 1.9.0 includes complete fixes for both vulnerabilities.
If your instance cannot be upgraded immediately, we recommend restricting access to administrative functionality and monitoring logs for suspicious requests until the upgrade can be performed.
Disclosure Timeline
Date | Event |
|---|---|
24-10-2025 | Vulnerabilities reported to ij-solutions |
29-10-2025 | Investigation and validation completed |
30-10-2025 | Version 1.9.0 released with security fixes |
07-12-2025 | Public disclosure of this advisory |
Contact
If you have questions or need assistance upgrading, please contact our support team: