{"api_version":"1","generated_at":"2026-05-13T16:25:17+00:00","cve":"CVE-2017-16860","urls":{"html":"https://cve.report/CVE-2017-16860","api":"https://cve.report/api/cve/CVE-2017-16860.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-16860","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-16860"},"summary":{"title":"CVE-2017-16860","description":"The invalidRedirectUrl template in Atlassian Application Links before version 5.2.7, from version 5.3.0 before version 5.3.4 and from version 5.4.0 before version 5.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the redirectUrl parameter link in the redirect warning message.","state":"PUBLIC","assigner":"security@atlassian.com","published_at":"2018-05-14 13:29:00","updated_at":"2018-06-19 15:28:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://ecosystem.atlassian.net/browse/APL-1363","name":"https://ecosystem.atlassian.net/browse/APL-1363","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"[APL-1363] XSS in the invalidRedirectUrl template through the redirectUrl parameter - CVE-2017-16860  - Ecosystem Jira","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/104188","name":"104188","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Atlassian Application Links CVE-2017-16860 Cross Site Scripting Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-16860","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16860","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"16860","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"application_links","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"16860","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"application_links","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@atlassian.com","DATE_PUBLIC":"2018-05-14T00:00:00","ID":"CVE-2017-16860","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Application Links","version":{"version_data":[{"version_affected":"<","version_value":"5.2.7"},{"version_affected":">=","version_value":"5.3.0"},{"version_affected":"<","version_value":"5.3.4"},{"version_affected":">=","version_value":"5.4.0"},{"version_affected":"<","version_value":"5.4.3"}]}}]},"vendor_name":"Atlassian"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The invalidRedirectUrl template in Atlassian Application Links before version 5.2.7, from version 5.3.0 before version 5.3.4 and from version 5.4.0 before version 5.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the redirectUrl parameter link in the redirect warning message."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Cross Site Scripting (XSS)"}]}]},"references":{"reference_data":[{"name":"https://ecosystem.atlassian.net/browse/APL-1363","refsource":"CONFIRM","url":"https://ecosystem.atlassian.net/browse/APL-1363"},{"name":"104188","refsource":"BID","url":"http://www.securityfocus.com/bid/104188"}]}},"nvd":{"publishedDate":"2018-05-14 13:29:00","lastModifiedDate":"2018-06-19 15:28:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:application_links:*:*:*:*:*:*:*:*","versionEndExcluding":"5.2.7","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:application_links:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3.0","versionEndExcluding":"5.3.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:application_links:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.0","versionEndExcluding":"5.4.3","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"16860","Ordinal":"114691","Title":"CVE-2017-16860","CVE":"CVE-2017-16860","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"16860","Ordinal":"1","NoteData":"The invalidRedirectUrl template in Atlassian Application Links before version 5.2.7, from version 5.3.0 before version 5.3.4 and from version 5.4.0 before version 5.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the redirectUrl parameter link in the redirect warning message.","Type":"Description","Title":null},{"CveYear":"2017","CveId":"16860","Ordinal":"2","NoteData":"2018-05-14","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"16860","Ordinal":"3","NoteData":"2018-05-17","Type":"Other","Title":"Modified"}]}}}