Vulnerabilities > Atlassian > Fisheye > 4.0.1

DATE CVE VULNERABILITY TITLE RISK
2018-06-28 CVE-2017-16859 Path Traversal vulnerability in Atlassian Crucible
The review attachment resource in Atlassian Fisheye and Crucible before version 4.3.2, from version 4.4.0 before 4.4.3 and before version 4.5.0 allows remote attackers to read files contained within context path of the running application through a path traversal vulnerability in the command parameter.
network
low complexity
atlassian CWE-22
6.5
6.5
2018-04-24 CVE-2018-5228 Cross-site Scripting vulnerability in Atlassian Fisheye
The /browse/~raw resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the handling of response headers.
network
low complexity
atlassian CWE-79
6.1
6.1
2018-02-02 CVE-2017-18035 Missing Authorization vulnerability in Atlassian Fisheye
The /rest/review-coverage-chart/1.0/data/<repository_name>/.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistics for it.
network
low complexity
atlassian CWE-862
4.3
4.3
2018-02-02 CVE-2017-18034 Cross-site Scripting vulnerability in Atlassian Crucible and Fisheye
The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch.
network
low complexity
atlassian CWE-79
5.4
5.4
2018-02-01 CVE-2017-16861 Unspecified vulnerability in Atlassian Fisheye
It was possible for double OGNL evaluation in certain redirect action and in WebWork URL and Anchor tags in JSP files to occur.
network
low complexity
atlassian
critical
 9.8
9.8
2017-11-29 CVE-2017-14591 Argument Injection or Modification vulnerability in Atlassian Crucible
Atlassian Fisheye and Crucible versions less than 4.4.3 and version 4.5.0 are vulnerable to argument injection through filenames in Mercurial repositories, allowing attackers to execute arbitrary code on a system running the impacted software.
network
high complexity
atlassian CWE-88
critical
 9.0
9.0
2017-10-11 CVE-2017-14588 Cross-site Scripting vulnerability in Atlassian Fisheye
Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter.
network
low complexity
atlassian CWE-79
6.1
6.1
2017-10-11 CVE-2017-14587 Cross-site Scripting vulnerability in Atlassian Fisheye
The administration user deletion resource in Atlassian Fisheye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter.
network
low complexity
atlassian CWE-79
5.4
5.4
2017-08-24 CVE-2017-9511 Path Traversal vulnerability in Atlassian Crucible
The MultiPathResource class in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to read arbitrary files via a path traversal vulnerability when Fisheye or Crucible is running on the Microsoft Windows operating system.
network
low complexity
atlassian CWE-22
7.5
7.5
2017-08-24 CVE-2017-9512 Information Exposure vulnerability in Atlassian Crucible
The mostActiveCommitters.do resource in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses of committers, as it lacked permission checks.
network
low complexity
atlassian CWE-200
7.5
7.5