XSS can injected in the name of a color of select box values of a tracker and then reflected in the tracker administration. A previous request #11685 removed injection points in trackers and agile dashboard, but new injection point has been introduced lately.
An attacker could use this vulnerability to force a victim to execute uncontrolled code.
CVSSv3 score: 5.5 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N)
As a tracker admin edit the color of a selectbox value and intercept the request to replace the name of the color by a payload like
"><script>alert(1)</script> to demonstrate the issue.
OWASP Cross-site Scripting