CVE-2018-20239

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.5%

top 32.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atlassian Atlassian Application Links Atlassian Application Links Atlassian Confluence Data Center +6 more

Timeline

PublishedApr 30

Latest updateMay 24

Description

Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before v…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages9 packages

▶NVDatlassian/application_links5.1.0 — 5.2.10+4

▶CVEListV5atlassian/atlassian_application_linksunspecified — 5.0.11+8

▶NVDatlassian/crowd< 3.4.3

▶NVDatlassian/fisheye< 4.7.0

▶NVDatlassian/crucible< 4.7.0

🔴Vulnerability Details

GHSA

GHSA-778g-4c8j-829w: Application Links before version 5↗2022-05-24

▶

CVEList

CVE-2018-20239: Application Links before version 5↗2019-04-30

▶