-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
None
-
Severity 2 - Major
-
The admin backupprogress action in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the filename of a backup.
- relates to
-
FE-7006 XSS in the admin backupprogress action through the filename of a backup - CVE-2017-18091
-
- Closed
-
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.8 => Medium severity
Exploitability Metrics
Scope Metric
Impact Metrics
https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N