-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
None
-
Severity 2 - Major
-
The administration user deletion resource in Atlassian FishEye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter.
- is cloned from
-
-
- Closed
-
[CRUC-8112] XSS in the administration user deletion resource through the uname parameter - CVE-2017-14587
Thank you for getting back to us dblack.
I understand that this is considered Medium per Atlassian assessment.
Is there any channel (e-mail, rss, etc) that any security issue can be tracked besides this instance of JIRA?
Thank you.
Cheers!
p.s. http://go.atlassian.com/cvss redirects to https://atlassian.my.centrify.com so I'm assuming that isn't public
security+atlassian1282683442 https://www.atlassian.com/trust/security shows advisory publication information generally only for critical security issues. This issue is where a bug that has been fixed has been released.
Hi dblack,
https://www.atlassian.com/trust/security is not showing any Security Advisory for this one ?
Can you confirmed where this was made public ?
Thank you.
Kind regards
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 5.4 => Medium severity
Exploitability Metrics
| Attack Vector | Network |
|---|---|
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | Required |
Scope Metric
| Scope | Changed |
|---|
Impact Metrics
| Confidentiality | Low |
|---|---|
| Integrity | Low |
| Availability | None |
See http://go.atlassian.com/cvss for more details.
https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security+atlassian1282683442 you can setup a Jira filter to email you about the release of non-critical security issues, that is issues with at least the following labels - [advisory-released, advisory, security].