We have identified and fixed a cross-site scripting (XSS) vulnerability in the Crucible's edit review details screen.
Affected versions are Crucible 2.2.0 to 2.3.7 inclusive.
XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye/Crucible page. You can read more about XSS attacks at various places on the web, including these:
- cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
- The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting
This issue is reported in our security advisory on these pages:
- is cloned from
-
CRUC-5309 XSS vulnerability in Crucible Review Reload
-
- Closed
-
[CRUC-5345] XSS vulnerability in Edit Review Details
| Workflow | Original: FE-CRUC Bug Workflow [ 2941764 ] | New: JAC Bug Workflow v3 [ 2955779 ] |
| Workflow | Original: FECRU Development Workflow - Triage - Restricted [ 1512075 ] | New: FE-CRUC Bug Workflow [ 2941764 ] |
| Workflow | Original: FECRU Development Workflow - Triage [ 939510 ] | New: FECRU Development Workflow - Triage - Restricted [ 1512075 ] |
| Workflow | Original: FECRU Development Workflow (Triage) [ 315654 ] | New: FECRU Development Workflow - Triage [ 939510 ] |
| Workflow | Original: Simple review flow with triage [ 275356 ] | New: FECRU Development Workflow (Triage) [ 315654 ] |
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: Reopened [ 4 ] | New: Closed [ 6 ] |
| Security | Original: Reporters and Developers [ 10090 ] |
| Resolution | Original: Fixed [ 1 ] | |
| Status | Original: Closed [ 6 ] | New: Reopened [ 4 ] |
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: Needs Triage [ 10030 ] | New: Closed [ 6 ] |
| Link | New: This issue is related to CRUC-5306 [ CRUC-5306 ] |