CVE-2017-18091

MEDIUM

Atlassian Fisheye and Crucible 4.4.0-4.4.2 - Authenticated Stored Cross-Site Scripting via Backup Filename

Title source: llm
STIX 2.1

Description

The admin backupprogress action in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the filename of a backup.

References (3)

Core 3
Core References
Vendor Advisory x_refsource_confirm
https://jira.atlassian.com/browse/FE-7006
Vendor Advisory x_refsource_confirm
https://jira.atlassian.com/browse/CRUC-8173
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/103079

Scores

CVSS v3 4.8
EPSS 0.0018
EPSS Percentile 38.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
atlassian/crucible 4.4.0 - 4.4.3
atlassian/fisheye 4.4.0 - 4.4.3
Published Feb 16, 2018
Tracked Since Feb 18, 2026