In the «Time in Status» app before 4.13.0 for Jira, remote authenticated attackers can cause Stored XSS.