Uploaded image for project: 'Crucible'
  1. Crucible
  2. CRUC-8379

XSS in the listApplicationLinks resource of the Application links plugin - CVE-2018-20239

XMLWordPrintable

      The version of the Application Links plugin used in Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. See https://ecosystem.atlassian.net/browse/APL-1373 for more details.

            [CRUC-8379] XSS in the listApplicationLinks resource of the Application links plugin - CVE-2018-20239

            Anonymous made changes -
            Remote Link Original: This issue links to "APL-1373 (Ecosystem Jira)" [ 421477 ] New: This issue links to "APL-1373 (Ecosystem JIRA)" [ 421477 ]
            David Black made changes -
            Labels Original: CVE-2018-20239 cvss-medium security xss New: CVE-2018-20239 advisory advisory-released cvss-medium patch-management security xss
            David Black made changes -
            Summary Original: XSS in Application Links through the applinkStartingUrl parameter - CVE-2018-20239 New: XSS in the listApplicationLinks resource of the Application links plugin - CVE-2018-20239
            David Black made changes -
            Remote Link New: This issue links to "APL-1373 (Ecosystem Jira)" [ 421477 ]
            David Black made changes -
            Labels Original: cvss-medium security xss New: CVE-2018-20239 cvss-medium security xss
            David Black made changes -
            Security Original: Atlassian Staff [ 10750 ]
            David Black made changes -
            Link New: This issue is related to FE-7161 [ FE-7161 ]
            David Black made changes -
            Description Original: Application links in Atlassian Fisheye Crucible Development before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. New: The version of the Application Links plugin used in Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. See https://ecosystem.atlassian.net/browse/APL-1373 for more details.
            David Black made changes -
            Summary Original: XSS in Application Links through the applinkStartingUrl parameter - CVE-TBD New: XSS in Application Links through the applinkStartingUrl parameter - CVE-2018-20239
            David Black made changes -
            Remote Link New: This issue links to "SECURITY-1179 (Security JIRA (CYBER/J))" [ 415053 ]

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: