[%22,] XSS in File Upload when Changing Charset - CVE-2017-9509 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 4.4.1
Affects Version/s: None
Component/s: None
Labels:

Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the charset of a previously uploaded file

David Black added a comment - 22/Aug/2017 3:21 AM

CVSS v3 score: 5.4 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

David Black added a comment - 22/Aug/2017 3:21 AM CVSS v3 score: 5.4 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Assignee:: Unassigned

Reporter:: Piotr Swiecicki

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 17/Jul/2017 7:57 AM

Updated:: 30/Aug/2017 6:16 AM

Resolved:: 17/Jul/2017 7:58 AM

Details

Description

Attachments

Forms

Activity

[CRUC-8046] XSS in File Upload when Changing Charset - CVE-2017-9509

Collapse comment: David Black added a comment - 22/Aug/2017 3:21 AM

Expand comment: David Black added a comment - 22/Aug/2017 3:21 AM

People

Dates