FishEye and Crucible Multiple HTML Injection and Unauthorized Access Vulnerabilities
BID:50762
Info
FishEye and Crucible Multiple HTML Injection and Unauthorized Access Vulnerabilities
| Bugtraq ID: | 50762 |
| Class: | Input Validation Error |
| CVE: |
CVE-2011-4822 |
| Remote: | Yes |
| Local: | No |
| Published: | Nov 22 2011 12:00AM |
| Updated: | Dec 16 2011 06:18PM |
| Credit: | Atlassian |
| Vulnerable: |
Atlassian Fisheye 2.5.6 Atlassian Fisheye 2.5.5 Atlassian Fisheye 2.4.6 Atlassian Fisheye 2.5.4 Atlassian Fisheye 2.5.2 Atlassian Crucible 2.5.6 Atlassian Crucible 2.5.5 Atlassian Crucible 2.4.5 Atlassian Crucible 2.5.4 Atlassian Crucible 2.5.2 Atlassian Crucible 2.5.0 |
| Not Vulnerable: |
Atlassian Fisheye 2.5.7 Atlassian Crucible 2.5.7 |
Discussion
FishEye and Crucible Multiple HTML Injection and Unauthorized Access Vulnerabilities
FishEye and Crucible are prone to multiple HTML-injection and unauthorized-access vulnerabilities.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or gain access to privileged sections of the application.
FishEye and Crucible are prone to multiple HTML-injection and unauthorized-access vulnerabilities.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or gain access to privileged sections of the application.
Exploit / POC
FishEye and Crucible Multiple HTML Injection and Unauthorized Access Vulnerabilities
Attackers can exploit these issues with a web browser.
Attackers can exploit these issues with a web browser.
Solution / Fix
FishEye and Crucible Multiple HTML Injection and Unauthorized Access Vulnerabilities
Solution:
Updates are available; please see the references for more information.
Solution:
Updates are available; please see the references for more information.
References
FishEye and Crucible Multiple HTML Injection and Unauthorized Access Vulnerabilities
References:
References:
- Crucible Homepage (Atlassian)
- FishEye Homepage (Atlassian)
- FishEye and Crucible Security Advisory 2011-11-22 (Atlassian)