CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-18035
https://notcve.org/view.php?id=CVE-2017-18035
The /rest/review-coverage-chart/1.0/data/<repository_name>/.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistics for it. El recurso /rest/review-coverage-chart/1.0/data//.json en Atlassian Fisheye y Crucible, en versiones anteriores a la 4.5.1 y la 4.6.0, no tenía una comprobación de permisos. Esto permite que atacantes remotos que no tengan acceso a un repositorio en concreto determinen su existencia y accedan a sus estadísticas de cobertura de revisión. • https://jira.atlassian.com/browse/CRUC-8163 https://jira.atlassian.com/browse/FE-6996 • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 0CVE-2017-16861
https://notcve.org/view.php?id=CVE-2017-16861
It was possible for double OGNL evaluation in certain redirect action and in WebWork URL and Anchor tags in JSP files to occur. An attacker who can access the web interface of Fisheye or Crucible or who hosts a website that a user who can access the web interface of Fisheye or Crucible visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Fisheye or Crucible. All versions of Fisheye and Crucible before 4.4.5 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.2 (the fixed version for 4.5.x) are affected by this vulnerability. La doble evaluación OGNL era posible en algunas acciones de redirección y en la URL WebWork y las etiquetas Anchor de archivos JSP. Un atacante que pueda acceder a la interfaz web de Fisheye o Crucible o que aloje un sitio web que visite un usuario que pueda acceder a la interfaz web de Fisheye o Crucible puede explotar esta vulnerabilidad para ejecutar código Java a voluntad en sistemas que ejecuten una versión vulnerable de Fisheye o de Crucible. • http://www.securityfocus.com/bid/102971 https://confluence.atlassian.com/x/h-QyO https://confluence.atlassian.com/x/iPQyO https://jira.atlassian.com/browse/CRUC-8156 https://jira.atlassian.com/browse/FE-6991 •
CVSS: 9.3EPSS: 0%CPEs: 4EXPL: 0CVE-2017-14591
https://notcve.org/view.php?id=CVE-2017-14591
Atlassian Fisheye and Crucible versions less than 4.4.3 and version 4.5.0 are vulnerable to argument injection through filenames in Mercurial repositories, allowing attackers to execute arbitrary code on a system running the impacted software. Atlassian Fisheye y Crucible en versiones anteriores a la 4.3 y la versión 4.5.0 son vulnerables a una inyección de argumentos mediante nombres de archivo en repositorios Mercurial. Esto permite que los atacantes ejecuten código arbitrario en un sistema que ejecute el software afectado. • http://www.securityfocus.com/bid/102194 https://confluence.atlassian.com/x/plcGO • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2017-14587
https://notcve.org/view.php?id=CVE-2017-14587
The administration user deletion resource in Atlassian Fisheye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter. El recurso de borrado de usuarios de administración en Atlassian Fisheye y Crucible en versiones anteriores a la 4.4.2 permite a los atacantes remotos inyectar HTML o JavaScript arbitrarios a través de una vulnerabilidad de Cross-Site Scripting (XSS) en el parámetro uname • http://www.securityfocus.com/bid/101266 https://jira.atlassian.com/browse/CRUC-8112 https://jira.atlassian.com/browse/FE-6933 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-14588
https://notcve.org/view.php?id=CVE-2017-14588
Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter. Varios recursos en Atlassian Fisheye y Crucible en versiones anteriores a la 4.4.2 permiten a los atacantes remotos inyectar HTML o JavaScript arbitrarios a través de una vulnerabilidad de cross site scripting (XSS) en el parámetro de diálogo. • http://www.securityfocus.com/bid/101268 https://jira.atlassian.com/browse/CRUC-8113 https://jira.atlassian.com/browse/FE-6935 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •