Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x prior to 8.1.10, 9.2.x prior to 9.2.6, 9.3.x prior to 9.3.2, and 9.4.x prior to 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an malicious user to perform reflected cross-site scripting attacks against the users of the Mattermost server.