CVE-2017-18094 — Cross-site Scripting in Atlassian Crucible

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

4.8MEDIUMNVD

EPSS

0.1%

top 64.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atlassian Crucible Atlassian Fisheye Atlassian Fisheye AND Crucible

Timeline

PublishedMar 22

Latest updateMay 14

Description

Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allow remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the base path setting of a configured file system repository.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5atlassian/fisheye_and_crucibleprior to 4.4.3, prior to 4.5.0+1

▶NVDatlassian/fisheye4.4.0 — 4.4.3+1

▶NVDatlassian/crucible4.4.0 — 4.4.3+1

🔴Vulnerability Details

GHSA

GHSA-v9g7-28gp-hc9w: Various resources in Atlassian Fisheye and Crucible before version 4↗2022-05-14

▶

CVEList

CVE-2017-18094: Various resources in Atlassian Fisheye and Crucible before version 4↗2018-03-22

▶