Vulnerability CVE-2017-18081


Published: 2018-02-02

Description:
The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie.

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: Atlassian
Product: Bamboo 
Version:
5.9.7
5.9.4
5.9.3
5.9.2
5.9.1
5.9
5.8.5
5.8.2
5.8.1
5.8
5.7.2
5.7.1
5.7
5.6.2
5.6.1
5.6
5.5
5.4.2
5.4.1
5.4
5.3
5.2.2
5.2.1
5.2
5.14.5
5.14.4.1
5.14.3
5.14.2
5.14.1
5.14.0
5.13.2
5.13.1
5.13.0
5.12.5
5.12.4
5.12.2
5.12.1
5.12.0
5.11.3
5.1.1
5.1
5.0.1
5.0
4.4.8
4.4.5
4.4.4
4.4.3
4.4.2
4.4.1
4.4
4.3.4
4.3.3
4.3.2
4.3.1
4.3
4.2.1
4.2
4.1.2
4.1.1
4.1
4.0.1
4.0
3.4.5
3.4.4
3.4.3
3.4.2
3.4.1
3.4
3.3.4
3.3.3
3.3.2
3.3.1
3.3
3.2.2
3.2
3.1.4
3.1.3
3.1.1
3.1
3.0.3
3.0.2
3.0.1
3.0
2.7.4
2.7.3
2.7.2
2.7.1
2.7
2.6.3
2.6.2
2.6.1
2.6
2.5.5
2.5.3
2.5.2
2.5.1
2.5
2.4.3
2.4.2
2.4.1
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
https://jira.atlassian.com/browse/BAM-19665

Related CVE
CVE-2017-18086
Various resources in Atlassian Confluence Server before version 6.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuesURL parameter.
CVE-2017-18085
The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the key parameter.
CVE-2017-18084
The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the description of a macro.
CVE-2017-18083
The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of an uploaded file.
CVE-2017-18082
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch.
CVE-2017-18080
The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability.
CVE-2017-18042
The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability.
CVE-2017-18041
The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.

Copyright 2018, cxsecurity.com

 

Back to Top