CVE-2017-9510 - Vulnerability Details - OpenCVE

Description

The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters.

Published: 2017-08-24

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Atlassian

Atlassian Fisheye

affected

Version	Status	Constraints
`All versions prior to version 4.4.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2017-18442	The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00191.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://jira.atlassian.com/browse/FE-6890

History

Wed, 16 Oct 2024 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Atlassian Fisheye

MITRE

Status: PUBLISHED

Assigner: atlassian

Published: 2017-08-24T17:00:00.000Z

Updated: 2024-10-16T14:03:34.200Z

Reserved: 2017-06-07T00:00:00.000Z

Link: CVE-2017-9510

Vulnrichment

Updated: 2024-08-05T17:11:01.626Z

NVD

Status : Deferred

Published: 2017-08-24T17:29:00.350

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-9510

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

{"containers": {"cna": {"affected": [{"product": "Atlassian Fisheye", "vendor": "Atlassian", "versions": [{"status": "affected", "version": "All versions prior to version 4.4.1"}]}], "datePublic": "2017-07-17T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters."}], "problemTypes": [{"descriptions": [{"description": "Cross Site Scripting (XSS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-11-25T13:56:32.000Z", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jira.atlassian.com/browse/FE-6890"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2017-07-17T00:00:00", "ID": "CVE-2017-9510", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Atlassian Fisheye", "version": {"version_data": [{"version_value": "All versions prior to version 4.4.1"}]}}]}, "vendor_name": "Atlassian"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross Site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://jira.atlassian.com/browse/FE-6890", "refsource": "MISC", "url": "https://jira.atlassian.com/browse/FE-6890"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T17:11:01.626Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.atlassian.com/browse/FE-6890"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-16T14:03:25.262716Z", "id": "CVE-2017-9510", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-16T14:03:34.200Z"}}]}, "cveMetadata": {"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2017-9510", "datePublished": "2017-08-24T17:00:00.000Z", "dateReserved": "2017-06-07T00:00:00.000Z", "dateUpdated": "2024-10-16T14:03:34.200Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://jira.atlassian.com/browse/FE-6890", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T17:11:01.626Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2017-9510", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-16T14:03:25.262716Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-16T14:03:31.300Z"}}], "cna": {"affected": [{"vendor": "Atlassian", "product": "Atlassian Fisheye", "versions": [{"status": "affected", "version": "All versions prior to version 4.4.1"}]}], "datePublic": "2017-07-17T00:00:00.000Z", "references": [{"url": "https://jira.atlassian.com/browse/FE-6890", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Cross Site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian", "dateUpdated": "2020-11-25T13:56:32.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "All versions prior to version 4.4.1"}]}, "product_name": "Atlassian Fisheye"}]}, "vendor_name": "Atlassian"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://jira.atlassian.com/browse/FE-6890", "name": "https://jira.atlassian.com/browse/FE-6890", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross Site Scripting (XSS)"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2017-9510", "STATE": "PUBLIC", "ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2017-07-17T00:00:00"}}}}, "cveMetadata": {"cveId": "CVE-2017-9510", "state": "PUBLISHED", "dateUpdated": "2024-10-16T14:03:34.200Z", "dateReserved": "2017-06-07T00:00:00.000Z", "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "datePublished": "2017-08-24T17:00:00.000Z", "assignerShortName": "atlassian"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*", "matchCriteriaId": "BB0CDA4F-731F-4F40-9ED9-496576B93345", "versionEndIncluding": "4.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters."}, {"lang": "es", "value": "El recurso de registro de cambios en el repositorio en Atlassian Fisheye en versiones anteriores a la 4.4.1 permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad cross-Site Scripting (XSS a trav\u00e9s de los par\u00e1metros de fecha de inicio y fecha de finalizaci\u00f3n"}], "id": "CVE-2017-9510", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-08-24T17:29:00.350", "references": [{"source": "security@atlassian.com", "tags": ["Vendor Advisory"], "url": "https://jira.atlassian.com/browse/FE-6890"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://jira.atlassian.com/browse/FE-6890"}], "sourceIdentifier": "security@atlassian.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}