CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-9511
https://notcve.org/view.php?id=CVE-2017-9511
The MultiPathResource class in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to read arbitrary files via a path traversal vulnerability when Fisheye or Crucible is running on the Microsoft Windows operating system. La clase MultiPathResource en Atlassian FishEye y Crucible en versiones anteriores a la 4.4.1 permite que atacantes anónimos remotos lean archivos arbitrarios mediante una vulnerabilidad de salto de directorio cuando FishEye o Crucible se ejecutan en el sistema operativo Microsoft Windows • https://jira.atlassian.com/browse/CRUC-8049 https://jira.atlassian.com/browse/FE-6891 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2017-9507
https://notcve.org/view.php?id=CVE-2017-9507
The review dashboard resource in Atlassian Crucible from version 4.1.0 before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the review filter title parameter. El recurso review dashboard en Atlassian Crucible desde la versión 4.1.0 hasta antes de la versión 4.4.1 permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad cross-Site Scripting (XSS) en el parámetro review filter title. • https://jira.atlassian.com/browse/CRUC-8043 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2017-9508
https://notcve.org/view.php?id=CVE-2017-9508
Various resources in Atlassian Fisheye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file. Varios recursos en Atlassian FishEye y Crucible en versiones anteriores a la 4.4.1 permiten que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad cross-Site Scripting (XSS) mediante el nombre de un archivo de repositorio o de revisión • https://jira.atlassian.com/browse/CRUC-8044 https://jira.atlassian.com/browse/FE-6898 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2017-9509
https://notcve.org/view.php?id=CVE-2017-9509
The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the charset of a previously uploaded file. El recurso review file upload en Atlassian Crucible en versiones anteriores a la 4.4.1 permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad cross-Site Scripting (XSS) mediante el conjunto de caracteres de un archivo previamente subido. • https://jira.atlassian.com/browse/CRUC-8046 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2017-9512
https://notcve.org/view.php?id=CVE-2017-9512
The mostActiveCommitters.do resource in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses of committers, as it lacked permission checks. El recurso mostActiveCommitters.do en Atlassian FishEye y Crucible en versiones anteriores a la 4.4.1 permite que atacantes remotos accedan a información sensible, por ejemplo, las direcciones de email de los autores, ya que no cuenta con verificación de permisos • https://jira.atlassian.com/browse/CRUC-8053 https://jira.atlassian.com/browse/FE-6892 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •