Vulnerabilities > Atlassian > Crucible > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-02-02 CVE-2017-18035 Missing Authorization vulnerability in Atlassian Fisheye
The /rest/review-coverage-chart/1.0/data/<repository_name>/.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistics for it.
network
low complexity
atlassian CWE-862
4.3
4.3
2018-02-02 CVE-2017-18034 Cross-site Scripting vulnerability in Atlassian Crucible and Fisheye
The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch.
network
low complexity
atlassian CWE-79
5.4
5.4
2017-10-11 CVE-2017-14588 Cross-site Scripting vulnerability in Atlassian Fisheye
Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter.
network
low complexity
atlassian CWE-79
6.1
6.1
2017-10-11 CVE-2017-14587 Cross-site Scripting vulnerability in Atlassian Fisheye
The administration user deletion resource in Atlassian Fisheye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter.
network
low complexity
atlassian CWE-79
5.4
5.4
2017-08-24 CVE-2017-9509 Cross-site Scripting vulnerability in Atlassian Crucible
The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the charset of a previously uploaded file.
network
low complexity
atlassian CWE-79
5.4
5.4
2017-08-24 CVE-2017-9508 Cross-site Scripting vulnerability in Atlassian Crucible and Fisheye
Various resources in Atlassian Fisheye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file.
network
low complexity
atlassian CWE-79
5.4
5.4
2017-08-24 CVE-2017-9507 Cross-site Scripting vulnerability in Atlassian Crucible
The review dashboard resource in Atlassian Crucible from version 4.1.0 before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the review filter title parameter.
network
low complexity
atlassian CWE-79
5.4
5.4