CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18080
https://notcve.org/view.php?id=CVE-2017-18080
The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability. El recurso saveConfigureSecurity en Atlassian Bamboo, en versiones anteriores a la 6.3.1, permite que atacantes remotos modifiquen las opciones de seguridad mediante una vulnerabilidad de Cross-Site Request Forgery (CSRF). • https://jira.atlassian.com/browse/BAM-19664 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18082
https://notcve.org/view.php?id=CVE-2017-18082
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch. El recurso de ramas de configuración de plan en Atlassian Bamboo, en versiones anteriores a la 6.2.3, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el nombre de una rama. • https://jira.atlassian.com/browse/BAM-19666 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18042
https://notcve.org/view.php?id=CVE-2017-18042
The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability. El recurso de actualización de administración de usuarios en Atlassian Bamboo, en versiones anteriores a la 6.3.1, permite que atacantes remotos modifiquen los datos de usuario, incluyendo las contraseñas, mediante una vulnerabilidad de Cross-Site Request Forgery (CSRF). • http://www.securityfocus.com/bid/103110 https://jira.atlassian.com/browse/BAM-19663 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18081
https://notcve.org/view.php?id=CVE-2017-18081
The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie. El recurso signupUser en Atlassian Bamboo, en versiones anteriores a la 6.3.1, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el valor de la cookie del token csrf. • http://www.securityfocus.com/bid/103087 https://jira.atlassian.com/browse/BAM-19665 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 1%CPEs: 2EXPL: 0CVE-2017-14589
https://notcve.org/view.php?id=CVE-2017-14589
It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability. Era posible que ocurriese una evaluación doble de OGNL en las plantillas de FreeMarker con etiquetas Struts FreeMarker. Un atacante que cuente con derechos restringidos de administración en Bamboo o que aloje un sitio web que visite un administrador de Bamboo es capaz de explotar esta vulnerabilidad para ejecutar el código Java que elija en sistemas que ejecuten una versión vulnerable de Bamboo. • http://www.securityfocus.com/bid/102188 https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html https://jira.atlassian.com/browse/BAM-18842 • CWE-20: Improper Input Validation •