CVE-2017-9509
https://notcve.org/view.php?id=CVE-2017-9509
The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the charset of a previously uploaded file. El recurso review file upload en Atlassian Crucible en versiones anteriores a la 4.4.1 permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad cross-Site Scripting (XSS) mediante el conjunto de caracteres de un archivo previamente subido. • https://jira.atlassian.com/browse/CRUC-8046 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-9507
https://notcve.org/view.php?id=CVE-2017-9507
The review dashboard resource in Atlassian Crucible from version 4.1.0 before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the review filter title parameter. El recurso review dashboard en Atlassian Crucible desde la versión 4.1.0 hasta antes de la versión 4.4.1 permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad cross-Site Scripting (XSS) en el parámetro review filter title. • https://jira.atlassian.com/browse/CRUC-8043 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-9512
https://notcve.org/view.php?id=CVE-2017-9512
The mostActiveCommitters.do resource in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses of committers, as it lacked permission checks. El recurso mostActiveCommitters.do en Atlassian FishEye y Crucible en versiones anteriores a la 4.4.1 permite que atacantes remotos accedan a información sensible, por ejemplo, las direcciones de email de los autores, ya que no cuenta con verificación de permisos • https://jira.atlassian.com/browse/CRUC-8053 https://jira.atlassian.com/browse/FE-6892 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2012-2926 – Atlassian Tempo 6.4.3 / JIRA 5.0.0 / Gliffy 3.7.0 - XML Parsing Denial of Service
https://notcve.org/view.php?id=CVE-2012-2926
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors. Atlassian JIRA antes de v5.0.1; Confluence antes de v3.5.16, v4.0 antes de v4.0.7, y v4.1 antes del v4.1.10; 'FishEye and Crucible' antes de v2.5.8, v2.6 antes de v2.6.8, y v2.7 antes de v2.7.12; Bamboo antes de v3.3.4 y v3.4.x antes de v3.4.5, y Crowd antes de v2.0.9, v2.1 antes de v2.1.2, v2.2 antes de v2.2.9, v2.3 antes de v2.3.7 y v2.4 antes de v2.4.1 no restringen correctamente las capacidades de los analizadores XML de de terceros, lo que permite leer ficheros de su elección o causar una denegación de servicio (por excesivo consumo de recursos) a atacantes remotos a través de vectores no especificados. • https://www.exploit-db.com/exploits/37218 http://confluence.atlassian.com/display/BAMBOO/Bamboo+Security+Advisory+2012-05-17 http://confluence.atlassian.com/display/CROWD/Crowd+Security+Advisory+2012-05-17 http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17 http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-05-17 http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-05-17 http://osvdb.org/81993 http://secunia •