Vulnerabilities > Atlassian > Fisheye

DATE CVE VULNERABILITY TITLE RISK
2017-11-29 CVE-2017-14591 Argument Injection or Modification vulnerability in Atlassian Crucible
Atlassian Fisheye and Crucible versions less than 4.4.3 and version 4.5.0 are vulnerable to argument injection through filenames in Mercurial repositories, allowing attackers to execute arbitrary code on a system running the impacted software.
network
high complexity
atlassian CWE-88
critical
 9.0
9.0
2017-10-11 CVE-2017-14588 Cross-site Scripting vulnerability in Atlassian Fisheye
Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter.
network
low complexity
atlassian CWE-79
6.1
6.1
2017-10-11 CVE-2017-14587 Cross-site Scripting vulnerability in Atlassian Fisheye
The administration user deletion resource in Atlassian Fisheye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter.
network
low complexity
atlassian CWE-79
5.4
5.4
2017-08-24 CVE-2017-9511 Path Traversal vulnerability in Atlassian Crucible
The MultiPathResource class in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to read arbitrary files via a path traversal vulnerability when Fisheye or Crucible is running on the Microsoft Windows operating system.
network
low complexity
atlassian CWE-22
7.5
7.5
2017-08-24 CVE-2017-9512 Information Exposure vulnerability in Atlassian Crucible
The mostActiveCommitters.do resource in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses of committers, as it lacked permission checks.
network
low complexity
atlassian CWE-200
7.5
7.5
2017-08-24 CVE-2017-9510 Cross-site Scripting vulnerability in Atlassian Fisheye
The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters.
network
low complexity
atlassian CWE-79
5.4
5.4
2017-08-24 CVE-2017-9509 Cross-site Scripting vulnerability in Atlassian Crucible
The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the charset of a previously uploaded file.
network
low complexity
atlassian CWE-79
5.4
5.4
2017-08-24 CVE-2017-9508 Cross-site Scripting vulnerability in Atlassian Crucible and Fisheye
Various resources in Atlassian Fisheye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file.
network
low complexity
atlassian CWE-79
5.4
5.4
2017-08-24 CVE-2017-9507 Cross-site Scripting vulnerability in Atlassian Crucible
The review dashboard resource in Atlassian Crucible from version 4.1.0 before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the review filter title parameter.
network
low complexity
atlassian CWE-79
5.4
5.4
2012-05-22 CVE-2012-2926 Unspecified vulnerability in Atlassian products
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
network
low complexity
atlassian
critical
 9.1
9.1