[BAM-8260] XSS in Bamboo User Management

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 2.7.4, 3.0
Affects Version/s: 2.0, (37)
2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3, 2.3.1, 2.4, 2.4.1, 2.4.2, 2.4.3, 2.5, 2.5.1, 2.5.2, 2.5.3, 2.5.5, 2.6, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7, 2.7.1, 2.7.2, 2.7.3
Component/s: None
Labels:
- advisory

Bug Fix Policy:
View Atlassian Server bug fix policy

We have identified and fixed a cross-site scripting (XSS) vulnerability in Bamboo's User Management pages. This affects Bamboo versions 1.0 to 2.7.3.

An attacker might take advantage of an XSS vulnerability to steal the current session of a logged-in user.
XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Bamboo page. An attacker's text and script might be displayed to other people viewing the page.

This issue is reported in our security advisory on this page:
https://confluence.atlassian.com/x/rAP5FQ

We recommend you to upgrade your Bamboo installation.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web:

Monique Khairuliana (Inactive) made changes - 19/Aug/2019 2:03 AM

Workflow	Original: Bamboo Workflow 2016 v1 - Restricted [ 1435404 ]	New: JAC Bug Workflow v3 [ 3384112 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 07/Jul/2016 3:48 AM

Workflow

Original: Bamboo Workflow 2016 v1 [ 1410101 ]

New: Bamboo Workflow 2016 v1 - Restricted [ 1435404 ]

Marek Went (Inactive) made changes - 16/Jun/2016 10:18 AM

Workflow

Original: Bamboo Workflow 2014 v2 [ 610379 ]

New: Bamboo Workflow 2016 v1 [ 1410101 ]

James Dumay made changes - 17/Jan/2014 12:01 AM

Workflow

Original: Bamboo Workflow 2014 [ 593048 ]

New: Bamboo Workflow 2014 v2 [ 610379 ]

James Dumay made changes - 15/Jan/2014 1:31 AM

Workflow

Original: Bamboo Workflow 2010 [ 281656 ]

New: Bamboo Workflow 2014 [ 593048 ]

David Black made changes - 23/Dec/2013 4:16 AM

Description

Original: We have identified and fixed a cross-site scripting (XSS) vulnerability in Bamboo's User Management pages. This affects Bamboo versions 1.0 to 2.7.3.
* An attacker might take advantage of an XSS vulnerability to steal the current session of a logged-in user.
* XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Bamboo page. An attacker's text and script might be displayed to other people viewing the page.

This issue is reported in our security advisory on this page:
http://confluence.atlassian.com/x/7gAMDg

We recommend you to upgrade your Bamboo installation.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web:
* http://www.cgisecurity.com/xss-faq.html
* http://www.cert.org/advisories/CA-2000-02.html

New: We have identified and fixed a cross-site scripting (XSS) vulnerability in Bamboo's User Management pages. This affects Bamboo versions 1.0 to 2.7.3.
* An attacker might take advantage of an XSS vulnerability to steal the current session of a logged-in user.
* XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Bamboo page. An attacker's text and script might be displayed to other people viewing the page.

This issue is reported in our security advisory on this page:
https://confluence.atlassian.com/x/rAP5FQ

We recommend you to upgrade your Bamboo installation.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web:
* http://www.cgisecurity.com/xss-faq.html
* http://www.cert.org/advisories/CA-2000-02.html

VitalyA made changes - 29/Mar/2011 12:09 AM

Security

Original: Reporters and Developers [ 10070 ]

VitalyA made changes - 24/Mar/2011 12:24 AM

Labels

New: advisory

AntonA made changes - 22/Mar/2011 2:36 AM

Assignee

Original: Andrew [ alui ]

New: VitalyA [ vosipov ]

Andrew made changes - 17/Mar/2011 11:41 PM

Description

Original: We have identified and fixed a cross-site scripting (XSS) vulnerability in Bamboo's User Management pages. This affects Bamboo versions 1.0 to 2.7.3.
* An attacker might take advantage of an XSS vulnerability to steal the current session of a logged-in user.
* XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Bamboo page. An attacker's text and script might be displayed to other people viewing the page.

This issue is reported in our security advisory on this page:
http://confluence.atlassian.com/x/K4ADDg

We recommend you to upgrade your Bamboo installation.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web:
* http://www.cgisecurity.com/xss-faq.html
* http://www.cert.org/advisories/CA-2000-02.html

New: We have identified and fixed a cross-site scripting (XSS) vulnerability in Bamboo's User Management pages. This affects Bamboo versions 1.0 to 2.7.3.
* An attacker might take advantage of an XSS vulnerability to steal the current session of a logged-in user.
* XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Bamboo page. An attacker's text and script might be displayed to other people viewing the page.

This issue is reported in our security advisory on this page:
http://confluence.atlassian.com/x/7gAMDg

We recommend you to upgrade your Bamboo installation.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web:
* http://www.cgisecurity.com/xss-faq.html
* http://www.cert.org/advisories/CA-2000-02.html

Assignee:: VitalyA

Reporter:: Andrew

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 15/Mar/2011 11:29 PM

Updated:: 19/Aug/2019 2:03 AM

Resolved:: 15/Mar/2011 11:32 PM

Details

Description

Attachments

Forms

Activity

People

Dates