CVE-2017-18034

Published: Feb 2, 2018Modified: Nov 21, 2024

5.4

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch.

Affected (4)

Products: Atlassian: Crucible, Fisheye

2 products

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Atlassian Crucible	Before 4.5.1
Atlassian Crucible	Version 4.6.0
Atlassian Fisheye	Before 4.5.1
Atlassian Fisheye	Version 4.6.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://jira.atlassian.com/browse/CRUC-8161

Source: security@atlassian.com

Issue TrackingVendor Advisory

https://jira.atlassian.com/browse/FE-6994

Source: security@atlassian.com

Issue TrackingVendor Advisory

https://jira.atlassian.com/browse/CRUC-8161

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

https://jira.atlassian.com/browse/FE-6994

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

Timeline

No history available yet.