Uploaded image for project: 'Crucible'
  1. Crucible
  2. CRUC-8201

XSS through header injection in the /browse/~raw resource - CVE-2018-5228

XMLWordPrintable

      The /browse/~raw resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the handling of response headers.

            [CRUC-8201] XSS through header injection in the /browse/~raw resource - CVE-2018-5228

            Owen made changes -
            Workflow Original: FE-CRUC Bug Workflow [ 2938914 ] New: JAC Bug Workflow v3 [ 2953613 ]
            Owen made changes -
            Workflow Original: FECRU Development Workflow - Triage - Restricted [ 2660653 ] New: FE-CRUC Bug Workflow [ 2938914 ]
            David Black made changes -
            Description Original: The /browse/~raw resource in Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the handling of response headers. New: The /browse/~raw resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the handling of response headers.
            David Black made changes -
            Description Original: The /browse/~raw resource in Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the handling of response headers. New: The /browse/~raw resource in Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the handling of response headers.
            David Black made changes -
            Description Original: The /browse/~raw resource in Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the handling of response headers. New: The /browse/~raw resource in Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the handling of response headers.
            David Black made changes -
            Summary Original: XSS through header injection in the /browse/~raw resource -CVE-2018-5228 New: XSS through header injection in the /browse/~raw resource - CVE-2018-5228
            David Black made changes -
            Labels Original: CVE-2018-5228 advisory advisory-to-release cvss-medium http-response-injection injection security xss New: CVE-2018-5228 advisory advisory-released cvss-medium http-response-injection injection security xss
            David Black made changes -
            Fix Version/s New: 4.6.0 [ 75221 ]
            Fix Version/s New: 4.5.3 [ 78100 ]
            Fix Version/s Original: 4.6.0 [ 75497 ]
            Fix Version/s Original: 4.5.3 [ 78101 ]
            Key Original: FE-7036 New: CRUC-8201
            Affects Version/s New: 4.5.1 [ 75071 ]
            Affects Version/s New: 4.4.3 [ 73502 ]
            Affects Version/s Original: 4.4.3 [ 73503 ]
            Affects Version/s Original: 4.5.1 [ 74943 ]
            Project Original: FishEye [ 11830 ] New: Crucible [ 11771 ]
            David Black made changes -
            Link New: This issue relates to FE-7035 [ FE-7035 ]
            David Black made changes -
            Link Original: This issue is cloned from FE-7035 [ FE-7035 ]

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: