Inbox for Jira Security Advisory 2021-10-28


Vulnerability 1: Stored XSS in the Rest API

Advisory release date



  • Inbox for Jira

Affected versions

Inbox for Jira app - Marketplace download version:

  • All 4.2.x versions

  • All 5.x.x up to 5.0.3 versions

Fixed versions - Inbox for Jira Marketplace App




Summary of vulnerability

This advisory discloses a critical severity security vulnerability in versions of the Inbox for Jira app prior to 5.0.4. 

Customers who have upgraded to Inbox for Jira version 5.0.4 aren't affected.

If you've downloaded and installed any versions listed in the Affected versions section, you must upgrade your installations to fix this vulnerability. 

Vulnerability 1: Stored XSS in the Rest API


Rixter AB rates the severity level of this vulnerability as critical, according to the scale published in  Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate, or low.

This is our assessment and you should evaluate its applicability to your own IT environment.


The parameter phrase in the endpoint: /rest/inbox/1.0/notification/message/{user_name_to_notify} lacks user input validation leading to a stored Cross-Site Scripting attack.


The issue was discovered by of Klarna Bank AB via their internal security program.


We have taken the following steps to address this issue:

  1. Released versions 5.0.4 of Inbox for Jira Data Center and Server

What you need to do

Rixter AB recommends that you upgrade to the latest fix version.


Click install in the Manage Apps section of your Jira instance or go to and download the app and install it manually

App version

Application compatibility


If you have questions or concerns regarding this advisory, raise a support request at


Security bug fix policy

Rixter AB work with one track of versions which requires the customer to upgrade to the latest version to withhold the security.

Rixter AB do not backport any updates.

Severity levels for security issues

Rixter is using the Atlassian levels of the security rating

End of Life policy

Our End of Life policy varies for different products. Please refer to the policy for details.