CVE-2019-15008
https://notcve.org/view.php?id=CVE-2019-15008
11 Dec 2019 — The /plugins/servlet/branchreview resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the reviewedBranch parameter. El recurso /plugins/servlet/branchreview en Atlassian Fisheye and Crucible versiones anteriores a 4.7.3, permite a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo cross-site scripting (XSS) en el parámetro reviewBranch. • https://jira.atlassian.com/browse/CRUC-8441 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-15007
https://notcve.org/view.php?id=CVE-2019-15007
11 Dec 2019 — The review resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch. El recurso de revisión en Atlassian Fisheye and Crucible versiones anteriores a 4.7.3, permite a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo cross-site scripting (XSS) por medio del nombre de una ramificación que falta. • https://jira.atlassian.com/browse/CRUC-8439 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-15005
https://notcve.org/view.php?id=CVE-2019-15005
08 Nov 2019 — The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center... • https://herolab.usd.de/security-advisories/usd-2019-0016 • CWE-862: Missing Authorization •
CVE-2018-20239
https://notcve.org/view.php?id=CVE-2018-20239
30 Apr 2019 — Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3... • https://ecosystem.atlassian.net/browse/APL-1373 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-20240
https://notcve.org/view.php?id=CVE-2018-20240
20 Feb 2019 — The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter. La funcionalidad de enlazador administrativo en Atlassian FishEye y Crucible, en versiones anteriores a la 4.7.0, permite que atacantes remotos inyecten HTML o JavaScript arbitrarios mediante una vulnerabilidad Cross-Site Scripting (XSS) en el parámetro href. • http://www.securityfocus.com/bid/107128 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-20241
https://notcve.org/view.php?id=CVE-2018-20241
20 Feb 2019 — The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the wbuser parameter. El recurso de edición de subida para una revisión en Atlassian FishEye y Crucible, en versiones anteriores a la 4.7.0, permiten que atacantes remotos inyecten HTML o JavaScript arbitrarios mediante una vulnerabilidad Cross-Site Scripting (XSS) en el parámetro wbuser. • http://www.securityfocus.com/bid/107128 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-13399
https://notcve.org/view.php?id=CVE-2018-13399
16 Oct 2018 — The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory. El instalador de Microsoft Windows para Atlassian Fisheye y Crucible en versiones anteriores a la 4.6.1 permite que atacantes locales escalen privilegios debido a permisos débiles en el directorio de instalación. • https://jira.atlassian.com/browse/CRUC-8314 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2018-13398
https://notcve.org/view.php?id=CVE-2018-13398
18 Sep 2018 — The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery (CSRF) vulnerability. El recurso administrativo smart-commits en Atlassian Fisheye y Crucible en versiones anteriores a la 4.5.4 permite que atacantes remotos modifiquen las opciones de smart-commit mediante una vulnerabilidad Cross-Site Request Forgery (CSRF). • https://jira.atlassian.com/browse/CRUC-8312 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2018-13392
https://notcve.org/view.php?id=CVE-2018-13392
13 Aug 2018 — Several resources in Atlassian Fisheye and Crucible before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in linked issue keys. Varios recursos en Atlassian FishEye y Crucible, en versiones anteriores a la 4.6.0, permiten que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en las claves de envío asociadas. • http://www.securityfocus.com/bid/105096 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-13388
https://notcve.org/view.php?id=CVE-2018-13388
10 Jul 2018 — The review attachment resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in attached files. El recurso review attachment en Atlassian FishEye y Crucible, en versiones anteriores a la 4.5.3, permiten que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en los archivos adjuntos. • http://www.securityfocus.com/bid/104717 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •