Vulnerability Description
The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Atlassian | Crucible | < 4.5.1 |
| Atlassian | Fisheye | < 4.5.1 |
Related Weaknesses (CWE)
References
- https://jira.atlassian.com/browse/CRUC-8161Issue TrackingVendor Advisory
- https://jira.atlassian.com/browse/FE-6994Issue TrackingVendor Advisory
- https://jira.atlassian.com/browse/CRUC-8161Issue TrackingVendor Advisory
- https://jira.atlassian.com/browse/FE-6994Issue TrackingVendor Advisory
FAQ
What is CVE-2017-18034?
CVE-2017-18034 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or J...
How severe is CVE-2017-18034?
CVE-2017-18034 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-18034?
Check the references section above for vendor advisories and patch information. Affected products include: Atlassian Crucible, Atlassian Fisheye.