Has a patch for stored XSS in Jira Work Management been released?

ira Work Management is a cloud-only product (now fully merged into Jira Cloud as of 2023), which means Atlassian manages all patching and updates server-side. If this vulnerability was reported to Atlassian and confirmed, the fix would have been deployed automatically to all cloud instances without any action needed on your part. There is no hotfix to manually apply for cloud products.

To check the current status:

1. Review Atlassian's official security advisories page at https://www.atlassian.com/trust/security/advisories to see if this specific CVE or vulnerability has been listed and addressed.

2. If you do not find it listed there, you can report it directly (or ask about its status) through Atlassian's security team by emailing security@atlassian.com or filing a ticket at https://support.atlassian.com. Reference the SnapSec blog post so they can confirm whether the issue has been resolved.

3. You can also check the Jira Cloud release notes for any mention of security fixes at https://www.atlassian.com/software/jira/whats-new

ALSO: It is worth noting that the SnapSec blog post describes a responsible disclosure, meaning Atlassian was likely notified before publication and may have already patched the issue before or shortly after the blog went public.

Hello @Fox Cup 

Small but important detail first: Jira Work Management is/was Cloud-only, so there is no Server patch line for that product. Atlassian’s own FAQ says they do not release Server or Data Center versions of JWM, and Atlassian Server support ended on February 15, 2024 anyway. 

So if the question is specifically about Jira Work Management, I would not expect a Server hotfix here.

I also do not see a matching official Atlassian security advisory / bulletin entry for that specific stored XSS at the moment. The SnapSec post is public, but from Atlassian’s public security pages I cannot confirm a released fix yet.