CVE-2017-18034
MEDIUMAtlassian Crucible and Fisheye < 4.5.1 - Cross-Site Scripting via Repository Branch Name
Title source: llmDescription
The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch.
References (2)
Core 2
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://jira.atlassian.com/browse/FE-6994
Issue Tracking, Vendor Advisory x_refsource_confirm
https://jira.atlassian.com/browse/CRUC-8161
Scores
CVSS v3
5.4
EPSS
0.0014
EPSS Percentile
33.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (4)
atlassian/crucible
4.6.0
atlassian/crucible
< 4.5.1
atlassian/fisheye
4.6.0
atlassian/fisheye
< 4.5.1
Published
Feb 02, 2018
Tracked Since
Feb 18, 2026