Vulnerabilities > Atlassian > Fisheye > 1.3

DATE CVE VULNERABILITY TITLE RISK
2018-02-02 CVE-2017-18035 Missing Authorization vulnerability in Atlassian Crucible and Fisheye
The /rest/review-coverage-chart/1.0/data/<repository_name>/.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistics for it.
network
low complexity
atlassian CWE-862
4.0
4.0
2018-02-02 CVE-2017-18034 Cross-site Scripting vulnerability in Atlassian Crucible
The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch.
network
atlassian CWE-79
3.5
3.5
2018-02-01 CVE-2017-16861 Unspecified vulnerability in Atlassian Crucible and Fisheye
It was possible for double OGNL evaluation in certain redirect action and in WebWork URL and Anchor tags in JSP files to occur.
network
low complexity
atlassian
7.5
7.5
2017-11-29 CVE-2017-14591 Argument Injection or Modification vulnerability in Atlassian Crucible and Fisheye
Atlassian Fisheye and Crucible versions less than 4.4.3 and version 4.5.0 are vulnerable to argument injection through filenames in Mercurial repositories, allowing attackers to execute arbitrary code on a system running the impacted software.
network
atlassian CWE-88
critical
 9.3
9.3
2017-10-11 CVE-2017-14588 Cross-site Scripting vulnerability in Atlassian Crucible
Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter.
network
atlassian CWE-79
4.3
4.3
2017-10-11 CVE-2017-14587 Cross-site Scripting vulnerability in Atlassian Crucible
The administration user deletion resource in Atlassian Fisheye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter.
network
atlassian CWE-79
3.5
3.5
2017-08-24 CVE-2017-9511 Path Traversal vulnerability in Atlassian Crucible
The MultiPathResource class in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to read arbitrary files via a path traversal vulnerability when Fisheye or Crucible is running on the Microsoft Windows operating system.
network
low complexity
atlassian CWE-22
5.0
5.0
2017-08-24 CVE-2017-9512 Information Exposure vulnerability in Atlassian Crucible
The mostActiveCommitters.do resource in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses of committers, as it lacked permission checks.
network
low complexity
atlassian CWE-200
5.0
5.0
2017-08-24 CVE-2017-9510 Cross-site Scripting vulnerability in Atlassian Fisheye
The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters.
network
atlassian CWE-79
3.5
3.5
2017-08-24 CVE-2017-9509 Cross-site Scripting vulnerability in Atlassian Crucible and Fisheye
The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the charset of a previously uploaded file.
network
atlassian CWE-79
3.5
3.5