CVE-2017-18080
https://notcve.org/view.php?id=CVE-2017-18080
The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability. El recurso saveConfigureSecurity en Atlassian Bamboo, en versiones anteriores a la 6.3.1, permite que atacantes remotos modifiquen las opciones de seguridad mediante una vulnerabilidad de Cross-Site Request Forgery (CSRF). • https://jira.atlassian.com/browse/BAM-19664 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2017-18041
https://notcve.org/view.php?id=CVE-2017-18041
The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release. El recurso viewDeploymentVersionJiraIssuesDialog en Atlassian Bamboo, en versiones anteriores a la 6.2.0, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el nombre de una versión. • http://www.securityfocus.com/bid/103071 https://jira.atlassian.com/browse/BAM-19662 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-18040
https://notcve.org/view.php?id=CVE-2017-18040
The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release. El recurso viewDeploymentVersionCommits en Atlassian Bamboo, en versiones anteriores a la 6.2.0, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el nombre de una versión. • http://www.securityfocus.com/bid/103070 https://jira.atlassian.com/browse/BAM-19661 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-18082
https://notcve.org/view.php?id=CVE-2017-18082
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch. El recurso de ramas de configuración de plan en Atlassian Bamboo, en versiones anteriores a la 6.2.3, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el nombre de una rama. • https://jira.atlassian.com/browse/BAM-19666 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-14589
https://notcve.org/view.php?id=CVE-2017-14589
It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability. Era posible que ocurriese una evaluación doble de OGNL en las plantillas de FreeMarker con etiquetas Struts FreeMarker. Un atacante que cuente con derechos restringidos de administración en Bamboo o que aloje un sitio web que visite un administrador de Bamboo es capaz de explotar esta vulnerabilidad para ejecutar el código Java que elija en sistemas que ejecuten una versión vulnerable de Bamboo. • http://www.securityfocus.com/bid/102188 https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html https://jira.atlassian.com/browse/BAM-18842 • CWE-20: Improper Input Validation •