CVE-2008-6831

Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA Enterprise Edition 3.13 allow remote attackers to inject arbitrary web script or HTML via the (1) fullname (Full Name) parameter in the ViewProfile page or (2) returnUrl parameter in a form, as demonstrated using secure/AddComment!default.jspa (aka "Add Comment").

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-10-29	Patch Vendor Advisory
http://osvdb.org/49415
http://osvdb.org/49416
http://secunia.com/advisories/32113	Vendor Advisory
http://www.securityfocus.com/bid/31967
https://exchange.xforce.ibmcloud.com/vulnerabilities/46167
https://exchange.xforce.ibmcloud.com/vulnerabilities/46168

Configurations

Configuration 1 (hide)

cpe:2.3:a:atlassian:jira:3.13:*:enterprise:*:*:*:*:*

History

No history.

Information

Published : 2009-06-08 19:30

Updated : 2017-08-17 01:29

NVD link : CVE-2008-6831

Mitre link : CVE-2008-6831

CVE.ORG link : CVE-2008-6831

JSON object : View

Products Affected

atlassian

jira

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2008-6831", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2009-06-08T19:30:00.297", "references": [{"url": "http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2008-10-29", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://osvdb.org/49415", "source": "cve@mitre.org"}, {"url": "http://osvdb.org/49416", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/32113", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/31967", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46167", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46168", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA Enterprise Edition 3.13 allow remote attackers to inject arbitrary web script or HTML via the (1) fullname (Full Name) parameter in the ViewProfile page or (2) returnUrl parameter in a form, as demonstrated using secure/AddComment!default.jspa (aka \"Add Comment\")."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en JIRA Enterprise Edition v3.13 de Atlassian permiten a usuarios remotos inyectar codigo web script o c\u00f3digo HTML a trav\u00e9s de (1) el par\u00e1metro \"fullname\" (nombre completo) en la p\u00e1gina \"ViewProfile\" (ver perfil) o (2) el par\u00e1metro returnUrl en un formulario, como se ha demostrado usando secure/AddComment!default.jspa (a\u00f1adir comentario)."}], "lastModified": "2017-08-17T01:29:36.177", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:jira:3.13:*:enterprise:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7ECA8B69-B096-4011-8CC2-0261F95EC6DA"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}