Product:

Fisheye

(Atlassian)
Repositories

Unknown:

This might be proprietary software.

#Vulnerabilities 51
Date Id Summary Products Score Patch Annotated
2019-04-30 CVE-2018-20239 Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd... Application_links, Confluence_data_center, Confluence_server, Crowd, Crucible, Fisheye, Jira_data_center, Jira_server 5.4
2012-05-22 CVE-2012-2926 Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via... Bamboo, Confluence, Confluence_server, Crowd, Crucible, Fisheye, Jira 9.1
2017-08-24 CVE-2017-9510 The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters. Fisheye 5.4
2017-08-24 CVE-2017-9508 Various resources in Atlassian Fisheye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file. Crucible, Fisheye 5.4
2018-02-02 CVE-2017-18034 The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch. Crucible, Fisheye 5.4
2017-10-11 CVE-2017-14588 Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter. Crucible, Fisheye 6.1
2017-10-11 CVE-2017-14587 The administration user deletion resource in Atlassian Fisheye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter. Crucible, Fisheye 5.4
2020-08-05 CVE-2017-18112 Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3. Fisheye N/A
2019-12-11 CVE-2019-15009 The /json/profile/removeStarAjax.do resource in Atlassian Fisheye and Crucible before version 4.8.0 allows remote attackers to remove another user's favourite setting for a project via an improper authorization vulnerability. Crucible, Fisheye N/A
2019-12-11 CVE-2019-15008 The /plugins/servlet/branchreview resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the reviewedBranch parameter. Crucible, Fisheye N/A