Uploaded image for project: 'Crucible'
  1. Crucible
  2. CRUC-8161

XSS in the source browser resource through malicious branch names - CVE-2017-18034

XMLWordPrintable

      The source browse resource in Atlassian FishEye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch.

      Affected versions

      • Older than 4.5.1

      Fixed versions

      • 4.5.1 and higher
      • 4.6.0 and higher

            [CRUC-8161] XSS in the source browser resource through malicious branch names - CVE-2017-18034

            Owen made changes -
            Workflow Original: FE-CRUC Bug Workflow [ 2941858 ] New: JAC Bug Workflow v3 [ 2954332 ]
            Owen made changes -
            Workflow Original: FECRU Development Workflow - Triage - Restricted [ 2510053 ] New: FE-CRUC Bug Workflow [ 2941858 ]
            David Black made changes -
            Priority Original: High [ 2 ] New: Medium [ 3 ]
            David Black made changes -
            Link New: This issue is detailed by FECRU-7342 [ FECRU-7342 ]
            David Black made changes -
            Link Original: This issue is related to FECRU-7342 [ FECRU-7342 ]
            David Black made changes -
            Link New: This issue relates to FE-6994 [ FE-6994 ]
            David Black made changes -
            Description Original: The source browse resource in Atlassian FishEye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch. To exploit this issue an attacker needs write access to a repository indexed by Fisheye or Crucible.


            h3. Affected versions
             * Older than 4.5.1

            h3. Fixed versions
             * 4.5.1 and higher
             * 4.6.0 and higher             		New: The source browse resource in Atlassian FishEye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch.

            h3. Affected versions
             * Older than 4.5.1

            h3. Fixed versions
             * 4.5.1 and higher
             * 4.6.0 and higher
            David Black made changes -
            Labels Original: CVE-2017-18034 advisory advisory-released security xss New: CVE-2017-18034 advisory advisory-released cvss-medium security xss
            David Black made changes -
            Labels Original: fecru-published security xss New: CVE-2017-18034 advisory advisory-released security xss
            David Black made changes -
            Summary Original: XSS via malicious branch names New: XSS in the source browser resource through malicious branch names - CVE-2017-18034

              Unassigned Unassigned
              mparfianowicz Marek Parfianowicz
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: