[JRASERVER-67108] XSS in various types of nested wiki markup - CVE-2017-18102 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Medium (View bug fix roadmap)
Fix Version/s: 7.7.1, 7.8.0, 7.6.8
Affects Version/s: 7.5.3
Component/s: Issue - Fields
Labels:

Fixed in Long Term Support Release/s:

Download 7.6
Introduced in Version:
7.05
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The bundled version of atlassian-renderer in Atlassian JIRA before version 7.7.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in nested wiki markup. For more information see https://jira.atlassian.com/browse/RNDR-153 (currently restricted to Atlassian staff).

is related to

CRUC-8162 XSS via wiki markup

Closed

FE-6995 XSS via wiki markup

Closed

mentioned in: Page Loading...

David Black added a comment - 10/Apr/2018 4:23 AM - edited

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 5.4 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	None

See http://go.atlassian.com/cvss for more details.

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

David Black added a comment - 10/Apr/2018 4:23 AM - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 5.4 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None See http://go.atlassian.com/cvss for more details. https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 10/Apr/2018 3:55 AM

Updated:: 22/May/2020 8:22 AM

Resolved:: 10/Apr/2018 3:55 AM

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-67108] XSS in various types of nested wiki markup - CVE-2017-18102

Collapse comment: David Black added a comment - 10/Apr/2018 4:23 AM, Edited by David Black - 10/Apr/2018 4:23 AM

Expand comment: David Black added a comment - 10/Apr/2018 4:23 AM, Edited by David Black - 10/Apr/2018 4:23 AM

People

Dates