[FE-7250] XSS in the the review resource through the name of a missing branch - CVE-2019-15007 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 4.7.3, 4.8.0
Affects Version/s: N/A
Component/s: User interface
Labels:

Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

The review resource in Atlassian Fisheye before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch.

relates to

CRUC-8439 XSS in the the review resource through the name of a missing branch - CVE-2019-15007

Closed

David Black made changes - 11/Dec/2019 1:42 AM

Labels

Original: CVE-2019-15007 advisory advisory-to-release bugbounty cvss-medium security xss

New: CVE-2019-15007 advisory advisory-released bugbounty cvss-medium security xss

David Black made changes - 11/Dec/2019 1:41 AM

Security

Original: Atlassian Staff [ 10750 ]

Marek Parfianowicz made changes - 10/Dec/2019 9:38 AM

Affects Version/s		New: N/A [ 54414 ]
Affects Version/s	Original: 4.7.1 [ 87092 ]

David Black made changes - 10/Dec/2019 2:14 AM

Labels

Original: advisory advisory-to-release bugbounty cvss-medium security xss

New: CVE-2019-15007 advisory advisory-to-release bugbounty cvss-medium security xss

David Black made changes - 10/Dec/2019 2:14 AM

Summary

Original: XSS in the the review resource through the name of a missing branch

New: XSS in the the review resource through the name of a missing branch - CVE-2019-15007

David Black made changes - 10/Dec/2019 2:06 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Needs Triage [ 10030 ]	New: Closed [ 6 ]

David Black made changes - 10/Dec/2019 2:04 AM

Description

Original: The review resource in Atlassian Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch.

New: The review resource in Atlassian Fisheye before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch.

David Black made changes - 10/Dec/2019 2:04 AM

Component/s		New: User interface [ 12295 ]
Component/s	Original: Projects [ 12952 ]
Fix Version/s		New: 4.8.0 [ 85591 ]
Fix Version/s		New: 4.7.3 [ 90793 ]
Fix Version/s	Original: 4.8.0 [ 85091 ]
Fix Version/s	Original: 4.7.3 [ 90290 ]
Key	Original: ~~CRUC-8440~~	New: ~~FE-7250~~
Affects Version/s		New: 4.7.1 [ 87092 ]
Affects Version/s	Original: 4.7.1 [ 87093 ]
Project	Original: Crucible [ 11771 ]	New: FishEye [ 11830 ]

David Black made changes - 10/Dec/2019 2:03 AM

Link

New: This issue relates to ~~CRUC-8439~~ [ ~~CRUC-8439~~ ]

David Black made changes - 10/Dec/2019 2:03 AM

Link

Original: This issue is cloned from ~~CRUC-8439~~ [ ~~CRUC-8439~~ ]

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 10/Dec/2019 2:03 AM

Updated:: 11/Dec/2019 1:42 AM

Resolved:: 10/Dec/2019 2:06 AM

Details

Description

Attachments

Issue Links

Forms

Activity

[FE-7250] XSS in the the review resource through the name of a missing branch - CVE-2019-15007

People

Dates