[%22,] XSS in the listApplicationLinks resource of the Application links plugin - CVE-2018-20239 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 3.5.0, 3.4.3
Affects Version/s: None
Component/s: None
Labels:

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The version of the Application Links plugin used in Crowd before version 3.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. See https://ecosystem.atlassian.net/browse/APL-1373 for more details.

relates to

JRASERVER-68855 XSS in the listApplicationLinks resource of the Application links plugin - CVE-2018-20239

Closed

BAM-20254 XSS in the listApplicationLinks resource of the Application links plugin - CVE-2018-20239

Closed

APL-1370 Failed to load

BBSDEV-19392 You do not have permission to view this issue

SECURITY-1179 Failed to load

is related to: APL-1373 Loading...

mentioned in: Page Loading...

(1 is related to, 1 mentioned in)

Daniel Serkowski made changes - 04/Nov/2022 2:43 PM

Remote Link

Original: This issue links to "Page (Confluence)" [ 431383 ]

Esteban Casuscelli made changes - 29/Mar/2022 3:21 PM

Remote Link

Original: This issue links to "Page (Confluence)" [ 630363 ]

Esteban Casuscelli made changes - 29/Mar/2022 3:19 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 630363 ]

Esteban Casuscelli made changes - 29/Mar/2022 12:45 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 630434 ]

Monique Khairuliana (Inactive) made changes - 15/Aug/2019 7:06 AM

Workflow

Original: Simplified Crowd Development Workflow v2 - restricted [ 3102606 ]

New: JAC Bug Workflow v3 [ 3365946 ]

Gaurav Agarwal (Inactive) made changes - 19/Jun/2019 11:09 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 431383 ]

David Black made changes - 30/Apr/2019 2:34 AM

Remote Link

New: This issue links to "APL-1373 (Ecosystem Jira)" [ 421480 ]

David Black made changes - 30/Apr/2019 2:33 AM

Labels

Original: CVE-2018-20239 advisory-released cvss-medium patch-management security

New: CVE-2018-20239 advisory advisory-released cvss-medium patch-management security xss

David Black made changes - 30/Apr/2019 2:27 AM

Labels

Original: CVE-2018-20239 cvss-medium patch-management security

New: CVE-2018-20239 advisory-released cvss-medium patch-management security

David Black made changes - 30/Apr/2019 2:27 AM

Description

Original: The version of the Application Links plugin used in Crowd before version 3.5.0 and from version 3.4.0 before version 3.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. See https://ecosystem.atlassian.net/browse/APL-1373 for more details.

New: The version of the Application Links plugin used in Crowd before version 3.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. See https://ecosystem.atlassian.net/browse/APL-1373 for more details.

Assignee:: Unassigned

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 3 Start watching this issue

Created:: 14/Feb/2019 3:17 AM

Updated:: 04/Nov/2022 2:43 PM

Resolved:: 03/Apr/2019 1:47 PM

Details

Description

Attachments

Issue Links

Forms

Activity

[CWD-5362] XSS in the listApplicationLinks resource of the Application links plugin - CVE-2018-20239

People

Dates