CVE-2017-18094
Vulnerability from cvelistv5
Published
2018-03-22 13:00
Modified
2024-09-16 18:28
Severity ?
EPSS score ?
Summary
Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allow remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the base path setting of a configured file system repository.
References
▼ | URL | Tags | |
---|---|---|---|
security@atlassian.com | https://jira.atlassian.com/browse/CRUC-8177 | Vendor Advisory | |
security@atlassian.com | https://jira.atlassian.com/browse/FE-7010 | Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/CRUC-8177 | Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/FE-7010 | Vendor Advisory |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Atlassian | Fisheye and Crucible |
Version: prior to 4.4.3 Version: prior to 4.5.0 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T21:13:48.168Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://jira.atlassian.com/browse/FE-7010" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://jira.atlassian.com/browse/CRUC-8177" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Fisheye and Crucible", "vendor": "Atlassian", "versions": [ { "status": "affected", "version": "prior to 4.4.3" }, { "status": "affected", "version": "prior to 4.5.0" } ] } ], "datePublic": "2018-02-19T00:00:00", "descriptions": [ { "lang": "en", "value": "Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allow remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the base path setting of a configured file system repository." } ], "problemTypes": [ { "descriptions": [ { "description": "Cross Site Scripting (XSS)", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-03-22T12:57:01", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://jira.atlassian.com/browse/FE-7010" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://jira.atlassian.com/browse/CRUC-8177" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2018-02-19T00:00:00", "ID": "CVE-2017-18094", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Fisheye and Crucible", "version": { "version_data": [ { "version_value": "prior to 4.4.3" }, { "version_value": "prior to 4.5.0" } ] } } ] }, "vendor_name": "Atlassian" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allow remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the base path setting of a configured file system repository." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Cross Site Scripting (XSS)" } ] } ] }, "references": { "reference_data": [ { "name": "https://jira.atlassian.com/browse/FE-7010", "refsource": "CONFIRM", "url": "https://jira.atlassian.com/browse/FE-7010" }, { "name": "https://jira.atlassian.com/browse/CRUC-8177", "refsource": "CONFIRM", "url": "https://jira.atlassian.com/browse/CRUC-8177" } ] } } } }, "cveMetadata": { "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2017-18094", "datePublished": "2018-03-22T13:00:00Z", "dateReserved": "2018-02-01T00:00:00", "dateUpdated": "2024-09-16T18:28:38.668Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2017-18094\",\"sourceIdentifier\":\"security@atlassian.com\",\"published\":\"2018-03-22T13:29:00.217\",\"lastModified\":\"2024-11-21T03:19:20.900\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allow remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the base path setting of a configured file system repository.\"},{\"lang\":\"es\",\"value\":\"Varios recursos en Atlassian Fisheye y Crucible en versiones anteriores a la 4.4.3 (la versi\u00f3n parcheada para 4.4.x) y 4.5.0 permiten que atacantes remotos con privilegios administrativos inyecten c\u00f3digo HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) a trav\u00e9s de la configuraci\u00f3n de ruta base de un repositorio de sistema de archivos configurado.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.4.0\",\"versionEndExcluding\":\"4.4.3\",\"matchCriteriaId\":\"97718354-9B00-4E93-A879-7423456E0344\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:fisheye:4.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DC4FA7F3-F6C3-4976-9E2A-2C7A6FE8329D\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.4.0\",\"versionEndExcluding\":\"4.4.3\",\"matchCriteriaId\":\"C1A5C301-8708-4774-9DC5-717E88A805F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:crucible:4.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E86BAE07-084C-411C-AAD9-676E8FC50703\"}]}]}],\"references\":[{\"url\":\"https://jira.atlassian.com/browse/CRUC-8177\",\"source\":\"security@atlassian.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://jira.atlassian.com/browse/FE-7010\",\"source\":\"security@atlassian.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://jira.atlassian.com/browse/CRUC-8177\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://jira.atlassian.com/browse/FE-7010\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.