VYPR

Fisheye and Crucible

by Atlassian

CVEs (36)

  • CVE-2020-4016MedJun 1, 2020
    risk 0.35cvss 5.3epss 0.01

    The /plugins/servlet/jira-blockers/ resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to get the ID of configured Jira application links via an information disclosure vulnerability.

  • CVE-2018-20241MedFeb 20, 2019
    risk 0.35cvss 5.4epss 0.01

    The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the wbuser parameter.

  • CVE-2018-13388MedJul 10, 2018
    risk 0.35cvss 5.4epss 0.01

    The review attachment resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in attached files.

  • CVE-2017-18034MedFeb 2, 2018
    risk 0.35cvss 5.4epss 0.01

    The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially…

  • CVE-2017-14587MedOct 11, 2017
    risk 0.35cvss 5.4epss 0.01

    The administration user deletion resource in Atlassian Fisheye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter.

  • CVE-2017-9508MedAug 24, 2017
    risk 0.35cvss 5.4epss 0.01

    Various resources in Atlassian Fisheye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file.

  • CVE-2019-15007MedDec 11, 2019
    risk 0.31cvss 4.8epss 0.01

    The review resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch.

  • CVE-2018-20240MedFeb 20, 2019
    risk 0.31cvss 4.8epss 0.01

    The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter.

  • CVE-2017-18094MedMar 22, 2018
    risk 0.31cvss 4.8epss 0.01

    Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allow remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the base path…

  • CVE-2017-18093MedFeb 19, 2018
    risk 0.31cvss 4.8epss 0.01

    Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allow remote attackers who have permission to add or modify a repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability…

  • CVE-2017-18091MedFeb 16, 2018
    risk 0.31cvss 4.8epss 0.01

    The admin backupprogress action in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in…

  • CVE-2021-43955MedMar 16, 2022
    risk 0.28cvss 4.3epss 0.01

    The /rest-service-fecru/server-v1 resource in Fisheye and Crucible before version 4.8.9 allowed authenticated remote attackers to obtain information about installation directories via information disclosure vulnerability.

  • CVE-2020-4015MedJun 1, 2020
    risk 0.28cvss 4.3epss 0.01

    The /json/fe/activeUserFinder.do resource in Altassian Fisheye and Crucible before version 4.8.1 allows remote attackers to view user user email addresses via a information disclosure vulnerability.

  • CVE-2020-4014MedJun 1, 2020
    risk 0.28cvss 4.3epss 0.01

    The /profile/deleteWatch.do resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to remove another user's watching settings for a repository via an improper authorization vulnerability.

  • CVE-2019-15009MedDec 11, 2019
    risk 0.28cvss 4.3epss 0.01

    The /json/profile/removeStarAjax.do resource in Atlassian Fisheye and Crucible before version 4.8.0 allows remote attackers to remove another user's favourite setting for a project via an improper authorization vulnerability.

  • CVE-2017-18035MedFeb 2, 2018
    risk 0.28cvss 4.3epss 0.01

    The /rest/review-coverage-chart/1.0/data/<repository_name>/.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence…

Page 2 of 2