CVSS: 9.3EPSS: 0%CPEs: 4EXPL: 0CVE-2017-14591 – Fisheye / Crucible 4.4.x / 4.5.x Code Execution
https://notcve.org/view.php?id=CVE-2017-14591
29 Nov 2017 — Atlassian Fisheye and Crucible versions less than 4.4.3 and version 4.5.0 are vulnerable to argument injection through filenames in Mercurial repositories, allowing attackers to execute arbitrary code on a system running the impacted software. Atlassian Fisheye y Crucible en versiones anteriores a la 4.3 y la versión 4.5.0 son vulnerables a una inyección de argumentos mediante nombres de archivo en repositorios Mercurial. Esto permite que los atacantes ejecuten código arbitrario en un sistema que ejecute el... • http://www.securityfocus.com/bid/102194 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2017-14587
https://notcve.org/view.php?id=CVE-2017-14587
11 Oct 2017 — The administration user deletion resource in Atlassian Fisheye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter. El recurso de borrado de usuarios de administración en Atlassian Fisheye y Crucible en versiones anteriores a la 4.4.2 permite a los atacantes remotos inyectar HTML o JavaScript arbitrarios a través de una vulnerabilidad de Cross-Site Scripting (XSS) en el parámetro uname • http://www.securityfocus.com/bid/101266 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-14588
https://notcve.org/view.php?id=CVE-2017-14588
11 Oct 2017 — Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter. Varios recursos en Atlassian Fisheye y Crucible en versiones anteriores a la 4.4.2 permiten a los atacantes remotos inyectar HTML o JavaScript arbitrarios a través de una vulnerabilidad de cross site scripting (XSS) en el parámetro de diálogo. • http://www.securityfocus.com/bid/101268 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-9511
https://notcve.org/view.php?id=CVE-2017-9511
24 Aug 2017 — The MultiPathResource class in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to read arbitrary files via a path traversal vulnerability when Fisheye or Crucible is running on the Microsoft Windows operating system. La clase MultiPathResource en Atlassian FishEye y Crucible en versiones anteriores a la 4.4.1 permite que atacantes anónimos remotos lean archivos arbitrarios mediante una vulnerabilidad de salto de directorio cuando FishEye o Crucible se ejecutan en el si... • https://jira.atlassian.com/browse/CRUC-8049 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2017-9512
https://notcve.org/view.php?id=CVE-2017-9512
24 Aug 2017 — The mostActiveCommitters.do resource in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses of committers, as it lacked permission checks. El recurso mostActiveCommitters.do en Atlassian FishEye y Crucible en versiones anteriores a la 4.4.1 permite que atacantes remotos accedan a información sensible, por ejemplo, las direcciones de email de los autores, ya que no cuenta con verificación de permisos • https://jira.atlassian.com/browse/CRUC-8053 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9510
https://notcve.org/view.php?id=CVE-2017-9510
24 Aug 2017 — The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters. El recurso de registro de cambios en el repositorio en Atlassian Fisheye en versiones anteriores a la 4.4.1 permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad cross-Site Scripting (XSS a través de los parámetros de fecha de inicio y ... • https://jira.atlassian.com/browse/FE-6890 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2017-9507
https://notcve.org/view.php?id=CVE-2017-9507
24 Aug 2017 — The review dashboard resource in Atlassian Crucible from version 4.1.0 before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the review filter title parameter. El recurso review dashboard en Atlassian Crucible desde la versión 4.1.0 hasta antes de la versión 4.4.1 permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad cross-Site Scripting (XSS) en el parámetro review filter title. • https://jira.atlassian.com/browse/CRUC-8043 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2017-9509
https://notcve.org/view.php?id=CVE-2017-9509
24 Aug 2017 — The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the charset of a previously uploaded file. El recurso review file upload en Atlassian Crucible en versiones anteriores a la 4.4.1 permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad cross-Site Scripting (XSS) mediante el conjunto de caracteres de un archivo previamente subid... • https://jira.atlassian.com/browse/CRUC-8046 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2017-9508
https://notcve.org/view.php?id=CVE-2017-9508
24 Aug 2017 — Various resources in Atlassian Fisheye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file. Varios recursos en Atlassian FishEye y Crucible en versiones anteriores a la 4.4.1 permiten que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad cross-Site Scripting (XSS) mediante el nombre de un archivo de repositorio o de revisión • https://jira.atlassian.com/browse/CRUC-8044 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 46%CPEs: 17EXPL: 2CVE-2012-2926 – Atlassian Tempo 6.4.3 / JIRA 5.0.0 / Gliffy 3.7.0 - XML Parsing Denial of Service
https://notcve.org/view.php?id=CVE-2012-2926
22 May 2012 — Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vecto... • https://packetstorm.news/files/id/181107 •