XSS Vulnerability in Atlassian Fisheye and Crucible Affecting Versions Prior to 4.7.0
CVE-2018-20240

4.8MEDIUM

Key Information:

Vendor
Atlassian
Status
Fisheye And Crucible
Vendor
CVE Published:
20 February 2019

Summary

The administrative linker feature in Atlassian Fisheye and Crucible prior to version 4.7.0 contains a cross-site scripting (XSS) vulnerability. This allows remote attackers to inject malicious HTML or JavaScript into the href parameter, leading to potential unauthorized actions or data exposure on affected installations. Users should apply available updates to mitigate this security risk.

Affected Version(s)

Fisheye and Crucible < 4.7.0

References

https://jira.atlassian.com/browse/FE-7163
x_refsource_CONFIRM
http://www.securityfocus.com/bid/107128
vdb-entryx_refsource_BID
https://jira.atlassian.com/browse/CRUC-8381
x_refsource_CONFIRM

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.