CVE-2017-9509 — Cross-site Scripting in Atlassian Crucible

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 51.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atlassian Crucible Atlassian Fisheye Atlassian Crucible

Timeline

PublishedAug 24

Latest updateMay 14

Description

The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the charset of a previously uploaded file.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶NVDatlassian/crucible4.4.0

▶CVEListV5atlassian/atlassian_crucibleAll versions prior to version 4.4.1

▶NVDatlassian/fisheye4.4.0

🔴Vulnerability Details

GHSA

GHSA-j2p5-3h42-x537: The review file upload resource in Atlassian Crucible before version 4↗2022-05-14

▶

CVEList

CVE-2017-9509: The review file upload resource in Atlassian Crucible before version 4↗2017-08-24

▶