Vulnerabilities > Atlassian > Fisheye > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-08-13 CVE-2018-13392 Cross-site Scripting vulnerability in Atlassian Fisheye
Several resources in Atlassian Fisheye and Crucible before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in linked issue keys.
network
low complexity
atlassian CWE-79
6.1
6.1
2018-07-10 CVE-2018-13388 Cross-site Scripting vulnerability in Atlassian Fisheye
The review attachment resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in attached files.
network
low complexity
atlassian CWE-79
5.4
5.4
2018-06-28 CVE-2017-16859 Path Traversal vulnerability in Atlassian Crucible
The review attachment resource in Atlassian Fisheye and Crucible before version 4.3.2, from version 4.4.0 before 4.4.3 and before version 4.5.0 allows remote attackers to read files contained within context path of the running application through a path traversal vulnerability in the command parameter.
network
low complexity
atlassian CWE-22
6.5
6.5
2018-04-24 CVE-2018-5228 Cross-site Scripting vulnerability in Atlassian Fisheye
The /browse/~raw resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the handling of response headers.
network
low complexity
atlassian CWE-79
6.1
6.1
2018-03-22 CVE-2017-18094 Cross-site Scripting vulnerability in Atlassian Crucible and Fisheye
Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allow remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the base path setting of a configured file system repository.
network
low complexity
atlassian CWE-79
4.8
4.8
2018-02-19 CVE-2017-18093 Cross-site Scripting vulnerability in Atlassian Crucible and Fisheye
Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allow remote attackers who have permission to add or modify a repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the location setting of a configured repository.
network
low complexity
atlassian CWE-79
4.8
4.8
2018-02-16 CVE-2017-18091 Cross-site Scripting vulnerability in Atlassian Crucible and Fisheye
The admin backupprogress action in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the filename of a backup.
network
low complexity
atlassian CWE-79
4.8
4.8
2018-02-16 CVE-2017-18090 Cross-site Scripting vulnerability in Atlassian Fisheye 4.5.0
Various resources in Atlassian Fisheye before version 4.5.1 (the fixed version for 4.5.x) and before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a commit author.
network
low complexity
atlassian CWE-79
6.1
6.1
2018-02-02 CVE-2017-18035 Missing Authorization vulnerability in Atlassian Fisheye
The /rest/review-coverage-chart/1.0/data/<repository_name>/.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistics for it.
network
low complexity
atlassian CWE-862
4.3
4.3
2018-02-02 CVE-2017-18034 Cross-site Scripting vulnerability in Atlassian Crucible and Fisheye
The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch.
network
low complexity
atlassian CWE-79
5.4
5.4