cnvd - cnvd-2018-10218

cnvd-2018-10218

Vulnerability from cnvd

Title: Atlassian Application Links跨站脚本漏洞（CNVD-2018-10218）

Description:

Atlassian Application Links是澳大利亚Atlassian公司的一款使用在Atlassian产品中用于创建连接到其他应用程序中的按钮的插件。

Atlassian Application Links 5.2.7之前版本、5.3.4之前的5.3.0版本和5.4.3之前的5.4.0版本中的invalidRedirectUrl模板存在跨站脚本漏洞。远程攻击者可借助‘redirectUrl’参数利用该漏洞注入任意的HTML或JavaScript代码。

Severity: 中

Patch Name: Atlassian Application Links跨站脚本漏洞（CNVD-2018-10218）的补丁

Patch Description:

Atlassian Application Links是澳大利亚Atlassian公司的一款使用在Atlassian产品中用于创建连接到其他应用程序中的按钮的插件。

Atlassian Application Links 5.2.7之前版本、5.3.4之前的5.3.0版本和5.4.3之前的5.4.0版本中的invalidRedirectUrl模板存在跨站脚本漏洞。远程攻击者可借助‘redirectUrl’参数利用该漏洞注入任意的HTML或JavaScript代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://ecosystem.atlassian.net/browse/APL-1363

Reference: https://ecosystem.atlassian.net/browse/APL-1363

Impacted products

Name
['Atlassian Application Links <5.2.7', 'Atlassian Application Links 5.3.0，<5.3.4', 'Atlassian Application Links 5.4.0，<5.4.3']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "104188"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-16860",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16860"
    }
  },
  "description": "Atlassian Application Links\u662f\u6fb3\u5927\u5229\u4e9aAtlassian\u516c\u53f8\u7684\u4e00\u6b3e\u4f7f\u7528\u5728Atlassian\u4ea7\u54c1\u4e2d\u7528\u4e8e\u521b\u5efa\u8fde\u63a5\u5230\u5176\u4ed6\u5e94\u7528\u7a0b\u5e8f\u4e2d\u7684\u6309\u94ae\u7684\u63d2\u4ef6\u3002\r\n\r\nAtlassian Application Links 5.2.7\u4e4b\u524d\u7248\u672c\u30015.3.4\u4e4b\u524d\u76845.3.0\u7248\u672c\u548c5.4.3\u4e4b\u524d\u76845.4.0\u7248\u672c\u4e2d\u7684invalidRedirectUrl\u6a21\u677f\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u2018redirectUrl\u2019\u53c2\u6570\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610f\u7684HTML\u6216JavaScript\u4ee3\u7801\u3002",
  "discovererName": "Atlassian",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://ecosystem.atlassian.net/browse/APL-1363",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-10218",
  "openTime": "2018-05-23",
  "patchDescription": "Atlassian Application Links\u662f\u6fb3\u5927\u5229\u4e9aAtlassian\u516c\u53f8\u7684\u4e00\u6b3e\u4f7f\u7528\u5728Atlassian\u4ea7\u54c1\u4e2d\u7528\u4e8e\u521b\u5efa\u8fde\u63a5\u5230\u5176\u4ed6\u5e94\u7528\u7a0b\u5e8f\u4e2d\u7684\u6309\u94ae\u7684\u63d2\u4ef6\u3002\r\n\r\nAtlassian Application Links 5.2.7\u4e4b\u524d\u7248\u672c\u30015.3.4\u4e4b\u524d\u76845.3.0\u7248\u672c\u548c5.4.3\u4e4b\u524d\u76845.4.0\u7248\u672c\u4e2d\u7684invalidRedirectUrl\u6a21\u677f\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u2018redirectUrl\u2019\u53c2\u6570\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610f\u7684HTML\u6216JavaScript\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Atlassian Application Links\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2018-10218\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Atlassian Application Links \u003c5.2.7",
      "Atlassian Application Links 5.3.0\uff0c\u003c5.3.4",
      "Atlassian Application Links 5.4.0\uff0c\u003c5.4.3"
    ]
  },
  "referenceLink": "https://ecosystem.atlassian.net/browse/APL-1363",
  "serverity": "\u4e2d",
  "submitTime": "2018-05-23",
  "title": "Atlassian Application Links\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2018-10218\uff09"
}

CVE-2017-16860 (GCVE-0-2017-16860)

Vulnerability from cvelistv5

Published

2018-05-14 13:00

Modified

2024-09-17 00:10

Severity ?

CWE

Cross Site Scripting (XSS)

Summary

The invalidRedirectUrl template in Atlassian Application Links before version 5.2.7, from version 5.3.0 before version 5.3.4 and from version 5.4.0 before version 5.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the redirectUrl parameter link in the redirect warning message.

References

▼	URL	Tags
	https://ecosystem.atlassian.net/browse/APL-1363	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/104188	vdb-entry, x_refsource_BID

Impacted products

	Vendor	Product	Version
	Atlassian	Application Links	Version: unspecified < 5.2.7 Version: 5.3.0 < unspecified Version: unspecified < 5.3.4 Version: 5.4.0 < unspecified Version: unspecified < 5.4.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T20:35:21.221Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://ecosystem.atlassian.net/browse/APL-1363"
          },
          {
            "name": "104188",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/104188"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Application Links",
          "vendor": "Atlassian",
          "versions": [
            {
              "lessThan": "5.2.7",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "5.3.0",
              "versionType": "custom"
            },
            {
              "lessThan": "5.3.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "5.4.0",
              "versionType": "custom"
            },
            {
              "lessThan": "5.4.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2018-05-14T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The invalidRedirectUrl template in Atlassian Application Links before version 5.2.7, from version 5.3.0 before version 5.3.4 and from version 5.4.0 before version 5.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the redirectUrl parameter link in the redirect warning message."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross Site Scripting (XSS)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-05-17T09:57:01",
        "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "shortName": "atlassian"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://ecosystem.atlassian.net/browse/APL-1363"
        },
        {
          "name": "104188",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/104188"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@atlassian.com",
          "DATE_PUBLIC": "2018-05-14T00:00:00",
          "ID": "CVE-2017-16860",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Application Links",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "5.2.7"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "5.3.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "5.3.4"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "5.4.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "5.4.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Atlassian"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The invalidRedirectUrl template in Atlassian Application Links before version 5.2.7, from version 5.3.0 before version 5.3.4 and from version 5.4.0 before version 5.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the redirectUrl parameter link in the redirect warning message."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross Site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ecosystem.atlassian.net/browse/APL-1363",
              "refsource": "CONFIRM",
              "url": "https://ecosystem.atlassian.net/browse/APL-1363"
            },
            {
              "name": "104188",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/104188"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
    "assignerShortName": "atlassian",
    "cveId": "CVE-2017-16860",
    "datePublished": "2018-05-14T13:00:00Z",
    "dateReserved": "2017-11-16T00:00:00",
    "dateUpdated": "2024-09-17T00:10:37.417Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted