• Type: Bug
• Resolution: Fixed
• Priority: Medium
• Fix Version/s: 4.7.3, 4.8.0
• Affects Version/s: N/A
• Component/s: User interface
• Labels:

  • CVE-2019-15007
  • advisory
  • advisory-released
  • bugbounty
  • cvss-medium
  • security
  • xss

[FE-7250] XSS in the the review resource through the name of a missing branch - CVE-2019-15007

David Black made changes - 11/Dec/2019 1:42 AM

Labels

Original: CVE-2019-15007 advisory advisory-to-release bugbounty cvss-medium security xss

New: CVE-2019-15007 advisory advisory-released bugbounty cvss-medium security xss

David Black made changes - 11/Dec/2019 1:41 AM

Security

Original: Atlassian Staff [ 10750 ]

Marek Parfianowicz made changes - 10/Dec/2019 9:38 AM

Affects Version/s		New: N/A [ 54414 ]
Affects Version/s	Original: 4.7.1 [ 87092 ]

David Black made changes - 10/Dec/2019 2:14 AM

Labels

Original: advisory advisory-to-release bugbounty cvss-medium security xss

New: CVE-2019-15007 advisory advisory-to-release bugbounty cvss-medium security xss

David Black made changes - 10/Dec/2019 2:14 AM

Summary

Original: XSS in the the review resource through the name of a missing branch

New: XSS in the the review resource through the name of a missing branch - CVE-2019-15007

David Black made changes - 10/Dec/2019 2:06 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Needs Triage [ 10030 ]	New: Closed [ 6 ]

Collapse comment: David Black added a comment - 10/Dec/2019 2:04 AM

David Black added a comment - 10/Dec/2019 2:04 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 6.4 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	High
Privileges Required	High
User Interaction	Required

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Expand comment: David Black added a comment - 10/Dec/2019 2:04 AM

David Black added a comment - 10/Dec/2019 2:04 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 6.4 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required High User Interaction Required Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

David Black made changes - 10/Dec/2019 2:04 AM

Description

Original: The review resource in Atlassian Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch.

New: The review resource in Atlassian Fisheye before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch.

David Black made changes - 10/Dec/2019 2:04 AM

Component/s		New: User interface [ 12295 ]
Component/s	Original: Projects [ 12952 ]
Fix Version/s		New: 4.8.0 [ 85591 ]
Fix Version/s		New: 4.7.3 [ 90793 ]
Fix Version/s	Original: 4.8.0 [ 85091 ]
Fix Version/s	Original: 4.7.3 [ 90290 ]
Key	Original: CRUC-8440	New: FE-7250
Affects Version/s		New: 4.7.1 [ 87092 ]
Affects Version/s	Original: 4.7.1 [ 87093 ]
Project	Original: Crucible [ 11771 ]	New: FishEye [ 11830 ]

David Black made changes - 10/Dec/2019 2:03 AM

Link

New: This issue relates to CRUC-8439 [ CRUC-8439 ]

Load more older events