漏洞类别:CGI
漏洞等级: 
漏洞信息
Atlassian FishEye is the on-premise source code repository browser for enterprise teams. It provides your developers with advanced browsing and search for SVN, Git, Mercurial, Perforce and CVS code repositories, from any web browser.
Atlassian Crucible is the on-premises code review solution for enterprise teams. It allows your development teams to catch major defects, improve code architecture, and discuss desired improvements, without the need for meetings.
Several resources in Atlassian Fisheye and Crucible allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in linked issue keys.
Affected Versions:
Atlassian Fisheye and Crucible prior to version 4.6.0
QID Detection Logic(Unauthenticated):
It checks for vulnerable version of Atlassian Fisheye and Crucible.
漏洞危害
when successfully exploited an attacker can disclose sensitive information and could impact confidentiality and integrity.
解决方案
The vendor has released patch.
Customers are advised to upgrade to Atlassian Fisheye 4.6.0 and Atlassian Crucible 4.6.0 in order to remediate this vulnerability.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论