Security Advisory: CVE-2025-67824 - Stored XSS in WorklogPRO DC

This advisory documents a Stored Cross-Site Scripting (XSS) vulnerability discovered in the WorklogPRO - Jira Timesheets app.

• CVE ID: CVE-2025-67824

• Product: WorklogPRO - Jira Timesheets

• Vendor: The Starware

• Vulnerability Type: Cross-Site Scripting (XSS) - Stored

• Affected Versions: All versions before 4.24.2

• Fixed Version: 4.24.2

The WorklogPRO - Jira Timesheets plugin in the Jira Data Center before versions 4.24.2 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is exploited via a specially crafted payload placed in the name of a filter. This code is executed in the browser when the user attempts to create a timesheet with the filter timesheet type on the custom timesheet dialog because the filter name is not properly sanitized during the action.

The following steps demonstrate how to reproduce the vulnerability:

1. Injection: Log in to the application and perform a search in the "Issues" section. Click on the "Save as" button to save the current search. In the "Filter Name" field, inject the following XSS payload: <script>alert("xss")</script>

2. Navigation: Navigate to the Timesheets page.

3. Trigger: Locate and click on the Filter dropdown menu to display the list of saved filters.

4. Execution: The application renders the saved filter name in the dropdown list without proper output encoding.

5. Observation: The injected JavaScript executes immediately in the browser context, displaying an alert box.

Open

Figure 1: PoC demonstrating XSS execution in Custom Timesheet dialog on the Timesheet Page

Users are advised to upgrade to version 4.24.2 or later, which addresses this issue. The vendor has released a fix under issue ID WLP-1599.

• Vendor Release Notes: Release Notes 4.x

• Vendor Issue Tracker: https://thestarware.atlassian.net/browse/WLP-1599

• Official CVE Record: CVE-2025-67824

Discovered by “Prashant Patel”.