Uploaded image for project: 'Crucible'
  1. Crucible
  2. CRUC-8046

XSS in File Upload when Changing Charset - CVE-2017-9509

XMLWordPrintable

      The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the charset of a previously uploaded file

            [CRUC-8046] XSS in File Upload when Changing Charset - CVE-2017-9509

            Owen made changes -
            Workflow Original: FE-CRUC Bug Workflow [ 2940040 ] New: JAC Bug Workflow v3 [ 2954095 ]
            Owen made changes -
            Workflow Original: FECRU Development Workflow - Triage - Restricted [ 2409576 ] New: FE-CRUC Bug Workflow [ 2940040 ]
            David Black made changes -
            Labels Original: CVE-2017-9509 advisory-released cvss-medium security xss New: CVE-2017-9509 advisory advisory-released cvss-medium security xss
            David Black made changes -
            Labels Original: advisory-released cvss-medium security xss New: CVE-2017-9509 advisory-released cvss-medium security xss
            David Black made changes -
            Summary Original: XSS in File Upload when Changing Charset New: XSS in File Upload when Changing Charset - CVE-2017-9509
            David Black made changes -
            Description Original: A user can change the charset to include malicious content which can cause XSS to other users accessing the review. New: The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the charset of a previously uploaded file
            David Black made changes -
            Priority Original: Low [ 4 ] New: Medium [ 3 ]

            David Black added a comment -

            CVSS v3 score: 5.4 => Medium severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required Low
            User Interaction Required

            Scope Metric

            Scope Changed

            Impact Metrics

            Confidentiality Low
            Integrity Low
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

            David Black added a comment - CVSS v3 score: 5.4 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
            Piotr Swiecicki made changes -
            Labels Original: advisory-released cvss-medium fecru-published security xss New: advisory-released cvss-medium security xss
            Piotr Swiecicki made changes -
            Labels Original: cvss-medium fecru-published security xss New: advisory-released cvss-medium fecru-published security xss

              Unassigned Unassigned
              pswiecicki Piotr Swiecicki
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: