CVE-2017-18091

The admin backupprogress action in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the filename of a backup.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
atlassianCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
VendorProductVersion
atlassianfisheye
4.4.0 ≤
𝑥
< 4.4.3
atlassiancrucible
4.4.0 ≤
𝑥
< 4.4.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/103079
https://jira.atlassian.com/browse/CRUC-8173
https://jira.atlassian.com/browse/FE-7006
http://www.securityfocus.com/bid/103079
https://jira.atlassian.com/browse/CRUC-8173
https://jira.atlassian.com/browse/FE-7006