Vulnerability CVE-2017-18041


Published: 2018-02-02

Description:
The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: Atlassian
Product: Bamboo 
Version:
5.9.7
5.9.4
5.9.3
5.9.2
5.9.1
5.9
5.8.5
5.8.2
5.8.1
5.8
5.7.2
5.7.1
5.7
5.6.2
5.6.1
5.6
5.5
5.4.2
5.4.1
5.4
5.3
5.2.2
5.2.1
5.2
5.14.5
5.14.4.1
5.14.3
5.14.2
5.14.1
5.14.0
5.13.2
5.13.1
5.13.0
5.12.5
5.12.4
5.12.2
5.12.1
5.12.0
5.11.3
5.1.1
5.1
5.0.1
5.0
4.4.8
4.4.5
4.4.4
4.4.3
4.4.2
4.4.1
4.4
4.3.4
4.3.3
4.3.2
4.3.1
4.3
4.2.1
4.2
4.1.2
4.1.1
4.1
4.0.1
4.0
3.4.5
3.4.4
3.4.3
3.4.2
3.4.1
3.4
3.3.4
3.3.3
3.3.2
3.3.1
3.3
3.2.2
3.2
3.1.4
3.1.3
3.1.1
3.1
3.0.3
3.0.2
3.0.1
3.0
2.7.4
2.7.3
2.7.2
2.7.1
2.7
2.6.3
2.6.2
2.6.1
2.6
2.5.5
2.5.3
2.5.2
2.5.1
2.5
2.4.3
2.4.2
2.4.1
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://www.securityfocus.com/bid/103071
https://jira.atlassian.com/browse/BAM-19662

Related CVE
CVE-2018-13395
Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 a...
CVE-2018-13391
The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from ver...
CVE-2018-13392
Several resources in Atlassian Fisheye and Crucible before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in linked issue keys.
CVE-2018-13385
There was an argument injection vulnerability in Sourcetree for macOS via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code e...
CVE-2017-18104
The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should ...
CVE-2018-5232
The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuetype parameter.
CVE-2018-13387
The IncomingMailServers resource in Atlassian JIRA Server before version 7.6.7, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3 and from version 7.10.0 before version 7.10.2 al...
CVE-2018-13389
The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of application/rdf+xml.

Copyright 2018, cxsecurity.com

 

Back to Top