Vulnerability CVE-2017-18082


Published: 2018-02-02

Description:
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch.

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: Atlassian
Product: Bamboo 
Version:
5.9.7
5.9.4
5.9.3
5.9.2
5.9.1
5.9
5.8.5
5.8.2
5.8.1
5.8
5.7.2
5.7.1
5.7
5.6.2
5.6.1
5.6
5.5
5.4.2
5.4.1
5.4
5.3
5.2.2
5.2.1
5.2
5.14.5
5.14.4.1
5.14.3
5.14.2
5.14.1
5.14.0
5.13.2
5.13.1
5.13.0
5.12.5
5.12.4
5.12.2
5.12.1
5.12.0
5.11.3
5.1.1
5.1
5.0.1
5.0
4.4.8
4.4.5
4.4.4
4.4.3
4.4.2
4.4.1
4.4
4.3.4
4.3.3
4.3.2
4.3.1
4.3
4.2.1
4.2
4.1.2
4.1.1
4.1
4.0.1
4.0
3.4.5
3.4.4
3.4.3
3.4.2
3.4.1
3.4
3.3.4
3.3.3
3.3.2
3.3.1
3.3
3.2.2
3.2
3.1.4
3.1.3
3.1.1
3.1
3.0.3
3.0.2
3.0.1
3.0
2.7.4
2.7.3
2.7.2
2.7.1
2.7
2.6.3
2.6.2
2.6.1
2.6
2.5.5
2.5.3
2.5.2
2.5.1
2.5
2.4.3
2.4.2
2.4.1
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
https://jira.atlassian.com/browse/BAM-19666

Related CVE
CVE-2018-13397
There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree ...
CVE-2018-13396
There was an argument injection vulnerability in Sourcetree for macOS from version 1.0b2 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for ...
CVE-2018-13402
Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before ve...
CVE-2018-13401
The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7....
CVE-2018-13400
Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from versio...
CVE-2018-13399
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-13398
The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery (CSRF) vulnerability.
CVE-2018-13395
Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 a...

Copyright 2019, cxsecurity.com

 

Back to Top