First published: Mon Feb 19 2018(Updated: )
Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allow remote attackers who have permission to add or modify a repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the location setting of a configured repository.
Credit: security@atlassian.com
Affected Software | Affected Version | How to fix |
---|---|---|
Atlassian FishEye | >=4.4.0<4.4.3 | |
Atlassian Crucible | >=4.4.0<4.4.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2017-18093 is a vulnerability in Atlassian Fisheye and Crucible where remote attackers with permission to add or modify a repository can inject arbitrary HTML or JavaScript, resulting in a cross-site scripting (XSS) attack.
CVE-2017-18093 affects Atlassian FishEye and Crucible versions before 4.4.3 (the fixed version for 4.4.x) and before 4.5.0.
The severity of CVE-2017-18093 is medium with a CVSS score of 4.8.
Remote attackers can exploit CVE-2017-18093 by injecting arbitrary HTML or JavaScript through the location parameter, leading to a cross-site scripting (XSS) vulnerability.
To fix CVE-2017-18093, upgrade Atlassian FishEye and Crucible to version 4.4.3 or later (for 4.4.x) or version 4.5.0 or later.