Vulnerability-Lookup

CVE-2018-13395 (GCVE-0-2018-13395)

Vulnerability from cvelistv5 – Published: 2018-08-28 13:00 – Updated: 2024-09-16 16:42

Summary

Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved.

Severity

6.1 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

Cross Site Scripting (XSS)

Assigner

atlassian

References

1 reference

URL	Tags
https://jira.atlassian.com/browse/JRASERVER-67848	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
Atlassian	Jira	Affected: unspecified , < 7.6.8 (custom) Affected: 7.7.0 , < unspecified (custom) Affected: unspecified , < 7.7.5 (custom) Affected: 7.8.0 , < unspecified (custom) Affected: unspecified , < 7.8.5 (custom) Affected: 7.9.0 , < unspecified (custom) Affected: unspecified , < 7.9.3 (custom) Affected: 7.10.0 , < unspecified (custom) Affected: unspecified , < 7.10.3 (custom) Affected: 7.11.0 , < unspecified (custom) Affected: unspecified , < 7.11.1 (custom)

Date Public

2018-08-27 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:00:35.128Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jira.atlassian.com/browse/JRASERVER-67848"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jira",
          "vendor": "Atlassian",
          "versions": [
            {
              "lessThan": "7.6.8",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "7.7.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.7.5",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "7.8.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.8.5",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "7.9.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.9.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "7.10.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.10.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "7.11.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.11.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2018-08-27T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross Site Scripting (XSS)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-08-28T12:57:01.000Z",
        "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "shortName": "atlassian"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jira.atlassian.com/browse/JRASERVER-67848"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@atlassian.com",
          "DATE_PUBLIC": "2018-08-27T00:00:00",
          "ID": "CVE-2018-13395",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jira",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "7.6.8"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "7.7.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "7.7.5"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "7.8.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "7.8.5"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "7.9.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "7.9.3"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "7.10.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "7.10.3"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "7.11.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "7.11.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Atlassian"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross Site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jira.atlassian.com/browse/JRASERVER-67848",
              "refsource": "CONFIRM",
              "url": "https://jira.atlassian.com/browse/JRASERVER-67848"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
    "assignerShortName": "atlassian",
    "cveId": "CVE-2018-13395",
    "datePublished": "2018-08-28T13:00:00.000Z",
    "dateReserved": "2018-07-06T00:00:00.000Z",
    "dateUpdated": "2024-09-16T16:42:34.901Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2018-13395",
      "date": "2026-06-03",
      "epss": "0.00231",
      "percentile": "0.45998"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-13395\",\"sourceIdentifier\":\"security@atlassian.com\",\"published\":\"2018-08-28T12:29:00.353\",\"lastModified\":\"2024-11-21T03:47:01.240\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved.\"},{\"lang\":\"es\",\"value\":\"Varios recursos en Atlassian Jira en versiones anteriores a la 7.6.8, desde la versi\u00f3n 7.7.0 hasta antes de la 7.7.5, desde la versi\u00f3n 7.8.0 hasta antes de la 7.8.5, desde la versi\u00f3n 7.9.0 hasta antes de la 7.9.3, desde la versi\u00f3n 7.10.0 hasta antes de la 7.10.3 y antes de la versi\u00f3n 7.11.1 permiten que atacantes remotos inyecten C\u00f3digo HTML o JavaScript arbitrario mediante una vulnerabilidad de Cross-Site Scripting (XSS) en el campo epic colour de un problema mientras se est\u00e1 moviendo un problema.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.6.8\",\"matchCriteriaId\":\"852E5AC8-DEE0-4FC4-ADC3-D4B7D13DD405\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.7.0\",\"versionEndExcluding\":\"7.7.5\",\"matchCriteriaId\":\"300D871F-7128-41F1-BCC8-BE7C3687741B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.8.0\",\"versionEndExcluding\":\"7.8.5\",\"matchCriteriaId\":\"A04E4050-271E-4D23-B988-E02D5A651386\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.9.0\",\"versionEndExcluding\":\"7.9.3\",\"matchCriteriaId\":\"2A3C3F9E-5BDD-48F3-B45F-9B9C6D31CAE2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.10.0\",\"versionEndExcluding\":\"7.10.3\",\"matchCriteriaId\":\"C568973F-5079-49ED-928D-7F11C842CF4B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.11.0\",\"versionEndExcluding\":\"7.11.1\",\"matchCriteriaId\":\"D18DD515-3135-46E4-A99F-0573882BB098\"}]}]}],\"references\":[{\"url\":\"https://jira.atlassian.com/browse/JRASERVER-67848\",\"source\":\"security@atlassian.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://jira.atlassian.com/browse/JRASERVER-67848\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]}]}}"
  }
}

CNVD-2018-17635

Vulnerability from cnvd - Published: 2018-09-06

Title

Atlassian JIRA跨站脚本漏洞（CNVD-2018-17635）

Description

Atlassian JIRA是澳大利亚Atlassian公司的一套缺陷跟踪管理系统。该系统主要用于对工作中各类问题、缺陷进行跟踪管理。 Atlassian JIRA中的多个资源存在跨站脚本漏洞。远程攻击者可借助epic colour字段利用该漏洞注入任意的HTML或JavaScript代码。

Severity

中

Patch Name

Atlassian JIRA跨站脚本漏洞（CNVD-2018-17635）的补丁

Patch Description

Atlassian JIRA是澳大利亚Atlassian公司的一套缺陷跟踪管理系统。该系统主要用于对工作中各类问题、缺陷进行跟踪管理。 Atlassian JIRA中的多个资源存在跨站脚本漏洞。远程攻击者可借助epic colour字段利用该漏洞注入任意的HTML或JavaScript代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://jira.atlassian.com/browse/JRASERVER-67848

Reference

https://jira.atlassian.com/browse/JRASERVER-67848

Impacted products

Name
['Atlassian JIRA >=7.7.5，<7.8.0', 'Atlassian JIRA >=7.8.5，<7.9.0', 'Atlassian JIRA >=7.9.3，<7.10.0', 'Atlassian JIRA >=7.10.3，<7.11.1', 'Atlassian JIRA >=7.6.8，<7.7.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-13395"
    }
  },
  "description": "Atlassian JIRA\u662f\u6fb3\u5927\u5229\u4e9aAtlassian\u516c\u53f8\u7684\u4e00\u5957\u7f3a\u9677\u8ddf\u8e2a\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u4e3b\u8981\u7528\u4e8e\u5bf9\u5de5\u4f5c\u4e2d\u5404\u7c7b\u95ee\u9898\u3001\u7f3a\u9677\u8fdb\u884c\u8ddf\u8e2a\u7ba1\u7406\u3002\r\n\r\nAtlassian JIRA\u4e2d\u7684\u591a\u4e2a\u8d44\u6e90\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9epic colour\u5b57\u6bb5\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610f\u7684HTML\u6216JavaScript\u4ee3\u7801\u3002",
  "discovererName": "SecurityB",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://jira.atlassian.com/browse/JRASERVER-67848",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-17635",
  "openTime": "2018-09-06",
  "patchDescription": "Atlassian JIRA\u662f\u6fb3\u5927\u5229\u4e9aAtlassian\u516c\u53f8\u7684\u4e00\u5957\u7f3a\u9677\u8ddf\u8e2a\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u4e3b\u8981\u7528\u4e8e\u5bf9\u5de5\u4f5c\u4e2d\u5404\u7c7b\u95ee\u9898\u3001\u7f3a\u9677\u8fdb\u884c\u8ddf\u8e2a\u7ba1\u7406\u3002\r\n\r\nAtlassian JIRA\u4e2d\u7684\u591a\u4e2a\u8d44\u6e90\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9epic colour\u5b57\u6bb5\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610f\u7684HTML\u6216JavaScript\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Atlassian JIRA\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2018-17635\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Atlassian JIRA \u003e=7.7.5\uff0c\u003c7.8.0",
      "Atlassian JIRA \u003e=7.8.5\uff0c\u003c7.9.0",
      "Atlassian JIRA \u003e=7.9.3\uff0c\u003c7.10.0",
      "Atlassian JIRA \u003e=7.10.3\uff0c\u003c7.11.1",
      "Atlassian JIRA \u003e=7.6.8\uff0c\u003c7.7.0"
    ]
  },
  "referenceLink": "https://jira.atlassian.com/browse/JRASERVER-67848",
  "serverity": "\u4e2d",
  "submitTime": "2018-08-29",
  "title": "Atlassian JIRA\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2018-17635\uff09"
}

FKIE_CVE-2018-13395

Vulnerability from fkie_nvd - Published: 2018-08-28 12:29 - Updated: 2024-11-21 03:47

Severity

6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	security@atlassian.com	https://jira.atlassian.com/browse/JRASERVER-67848	Issue Tracking, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://jira.atlassian.com/browse/JRASERVER-67848	Issue Tracking, Vendor Advisory

Impacted products

Vendor	Product	Version
atlassian	jira	*
atlassian	jira_server	*
atlassian	jira_server	*
atlassian	jira_server	*
atlassian	jira_server	*
atlassian	jira_server	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "852E5AC8-DEE0-4FC4-ADC3-D4B7D13DD405",
              "versionEndExcluding": "7.6.8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "300D871F-7128-41F1-BCC8-BE7C3687741B",
              "versionEndExcluding": "7.7.5",
              "versionStartIncluding": "7.7.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A04E4050-271E-4D23-B988-E02D5A651386",
              "versionEndExcluding": "7.8.5",
              "versionStartIncluding": "7.8.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2A3C3F9E-5BDD-48F3-B45F-9B9C6D31CAE2",
              "versionEndExcluding": "7.9.3",
              "versionStartIncluding": "7.9.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C568973F-5079-49ED-928D-7F11C842CF4B",
              "versionEndExcluding": "7.10.3",
              "versionStartIncluding": "7.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D18DD515-3135-46E4-A99F-0573882BB098",
              "versionEndExcluding": "7.11.1",
              "versionStartIncluding": "7.11.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved."
    },
    {
      "lang": "es",
      "value": "Varios recursos en Atlassian Jira en versiones anteriores a la 7.6.8, desde la versi\u00f3n 7.7.0 hasta antes de la 7.7.5, desde la versi\u00f3n 7.8.0 hasta antes de la 7.8.5, desde la versi\u00f3n 7.9.0 hasta antes de la 7.9.3, desde la versi\u00f3n 7.10.0 hasta antes de la 7.10.3 y antes de la versi\u00f3n 7.11.1 permiten que atacantes remotos inyecten C\u00f3digo HTML o JavaScript arbitrario mediante una vulnerabilidad de Cross-Site Scripting (XSS) en el campo epic colour de un problema mientras se est\u00e1 moviendo un problema."
    }
  ],
  "id": "CVE-2018-13395",
  "lastModified": "2024-11-21T03:47:01.240",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-08-28T12:29:00.353",
  "references": [
    {
      "source": "security@atlassian.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://jira.atlassian.com/browse/JRASERVER-67848"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://jira.atlassian.com/browse/JRASERVER-67848"
    }
  ],
  "sourceIdentifier": "security@atlassian.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-M2GF-QJXM-22QM

Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2022-05-13 01:03

Details

Severity

6.1 (Medium)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-13395"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-28T12:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved.",
  "id": "GHSA-m2gf-qjxm-22qm",
  "modified": "2022-05-13T01:03:05Z",
  "published": "2022-05-13T01:03:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13395"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/JRASERVER-67848"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2018-13395

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2018-13395

Aliases

CVE-2018-13395

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-13395",
    "description": "Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved.",
    "id": "GSD-2018-13395"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-13395"
      ],
      "details": "Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved.",
      "id": "GSD-2018-13395",
      "modified": "2023-12-13T01:22:27.015690Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@atlassian.com",
        "DATE_PUBLIC": "2018-08-27T00:00:00",
        "ID": "CVE-2018-13395",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Jira",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "7.6.8"
                        },
                        {
                          "version_affected": "\u003e=",
                          "version_value": "7.7.0"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "7.7.5"
                        },
                        {
                          "version_affected": "\u003e=",
                          "version_value": "7.8.0"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "7.8.5"
                        },
                        {
                          "version_affected": "\u003e=",
                          "version_value": "7.9.0"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "7.9.3"
                        },
                        {
                          "version_affected": "\u003e=",
                          "version_value": "7.10.0"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "7.10.3"
                        },
                        {
                          "version_affected": "\u003e=",
                          "version_value": "7.11.0"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "7.11.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Atlassian"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Cross Site Scripting (XSS)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://jira.atlassian.com/browse/JRASERVER-67848",
            "refsource": "CONFIRM",
            "url": "https://jira.atlassian.com/browse/JRASERVER-67848"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.9.3",
                "versionStartIncluding": "7.9.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.10.3",
                "versionStartIncluding": "7.10.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.11.1",
                "versionStartIncluding": "7.11.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.7.5",
                "versionStartIncluding": "7.7.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.8.5",
                "versionStartIncluding": "7.8.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.6.8",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@atlassian.com",
          "ID": "CVE-2018-13395"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jira.atlassian.com/browse/JRASERVER-67848",
              "refsource": "CONFIRM",
              "tags": [
                "Issue Tracking",
                "Vendor Advisory"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-67848"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2022-03-25T17:22Z",
      "publishedDate": "2018-08-28T12:29Z"
    }
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-13395 (GCVE-0-2018-13395)

CNVD-2018-17635

FKIE_CVE-2018-13395

GHSA-M2GF-QJXM-22QM

GSD-2018-13395

Tags

Sightings

Nomenclature