Filtered by vendor Atlassian
Subscriptions
Filtered by product Fisheye
Subscriptions
Total
51 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-43955 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | 4.3 Medium |
| The /rest-service-fecru/server-v1 resource in Fisheye and Crucible before version 4.8.9 allowed authenticated remote attackers to obtain information about installation directories via information disclosure vulnerability. | ||||
| CVE-2017-9510 | 1 Atlassian | 1 Fisheye | 2024-09-17 | N/A |
| The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters. | ||||
| CVE-2020-14191 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | 7.5 High |
| Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4. | ||||
| CVE-2020-4023 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | 5.4 Medium |
| The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the committerFilter parameter. | ||||
| CVE-2020-4014 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | 4.3 Medium |
| The /profile/deleteWatch.do resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to remove another user's watching settings for a repository via an improper authorization vulnerability. | ||||
| CVE-2017-9508 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | N/A |
| Various resources in Atlassian Fisheye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file. | ||||
| CVE-2020-29446 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | 5.3 Medium |
| Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5. | ||||
| CVE-2017-18093 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | N/A |
| Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allow remote attackers who have permission to add or modify a repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the location setting of a configured repository. | ||||
| CVE-2021-43954 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | 4.3 Medium |
| The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability. | ||||
| CVE-2017-14587 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | N/A |
| The administration user deletion resource in Atlassian Fisheye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter. | ||||
| CVE-2021-43956 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | 6.1 Medium |
| The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability. | ||||
| CVE-2018-13388 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | N/A |
| The review attachment resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in attached files. | ||||
| CVE-2017-18090 | 1 Atlassian | 1 Fisheye | 2024-09-17 | N/A |
| Various resources in Atlassian Fisheye before version 4.5.1 (the fixed version for 4.5.x) and before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a commit author. | ||||
| CVE-2017-14588 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | N/A |
| Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter. | ||||
| CVE-2018-5228 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | N/A |
| The /browse/~raw resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the handling of response headers. | ||||
| CVE-2018-20241 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | N/A |
| The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the wbuser parameter. | ||||
| CVE-2019-15009 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | 4.3 Medium |
| The /json/profile/removeStarAjax.do resource in Atlassian Fisheye and Crucible before version 4.8.0 allows remote attackers to remove another user's favourite setting for a project via an improper authorization vulnerability. | ||||
| CVE-2018-20240 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | N/A |
| The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter. | ||||
| CVE-2018-13392 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-16 | N/A |
| Several resources in Atlassian Fisheye and Crucible before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in linked issue keys. | ||||
| CVE-2022-26137 | 1 Atlassian | 11 Bamboo, Bitbucket, Confluence Data Center and 8 more | 2024-09-16 | 8.8 High |
| A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4. | ||||