CVE-2017-18093 — Cross-site Scripting in Atlassian Crucible

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

4.8MEDIUMNVD

EPSS

0.2%

top 60.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atlassian Crucible Atlassian Fisheye Atlassian Fisheye AND Crucible

Timeline

PublishedFeb 19

Latest updateMay 14

Description

Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allow remote attackers who have permission to add or modify a repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the location setting of a configured repository.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5atlassian/fisheye_and_crucibleprior to 4.4.3, prior to 4.5.0+1

▶NVDatlassian/fisheye4.4.0 — 4.4.3

▶NVDatlassian/crucible4.4.0 — 4.4.3

🔴Vulnerability Details

GHSA

GHSA-5j87-vc56-frp3: Various resources in Atlassian Fisheye and Crucible before version 4↗2022-05-14

▶

CVEList

CVE-2017-18093: Various resources in Atlassian Fisheye and Crucible before version 4↗2018-02-19

▶