Uploaded image for project: 'Crucible'
  1. Crucible
  2. CRUC-8304

Several resources were vulnerable to XSS - CVE-2018-13392

XMLWordPrintable

      Several resources in Atlassian Fisheye and Crucible before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in linked issue keys.

            [CRUC-8304] Several resources were vulnerable to XSS - CVE-2018-13392

            Owen made changes -
            Workflow Original: FE-CRUC Bug Workflow [ 2942021 ] New: JAC Bug Workflow v3 [ 2955949 ]
            Owen made changes -
            Workflow Original: FECRU Development Workflow - Triage - Restricted [ 2758171 ] New: FE-CRUC Bug Workflow [ 2942021 ]
            David Black made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Needs Triage [ 10030 ] New: Closed [ 6 ]
            David Black made changes -
            Labels Original: advisory advisory-released cvss-medium security sxss xss New: CVE-2018-13392 advisory advisory-released cvss-medium security sxss xss
            David Black made changes -
            Labels Original: advisory advisory-to-release cvss-medium security sxss xss New: advisory advisory-released cvss-medium security sxss xss

            David Black added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.
            CVSS v3 score: 5.4 => Medium severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required Low
            User Interaction None

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality Low
            Integrity Low
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

            David Black added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 5.4 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
            David Black made changes -
            Link New: This issue relates to FE-7081 [ FE-7081 ]
            David Black made changes -
            Link Original: This issue is cloned from FE-7081 [ FE-7081 ]
            David Black made changes -
            Fix Version/s New: 4.6.0 [ 75221 ]
            Fix Version/s Original: 4.6.0 [ 75497 ]
            Key Original: FE-7082 New: CRUC-8304
            Project Original: FishEye [ 11830 ] New: Crucible [ 11771 ]
            David Black made changes -
            Link New: This issue is detailed by FECRU-7532 [ FECRU-7532 ]

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: