cnvd - cnvd-2018-10218

CNVD-2018-10218

Vulnerability from cnvd - Published: 2018-05-23

Title

Atlassian Application Links跨站脚本漏洞（CNVD-2018-10218）

Description

Atlassian Application Links是澳大利亚Atlassian公司的一款使用在Atlassian产品中用于创建连接到其他应用程序中的按钮的插件。 Atlassian Application Links 5.2.7之前版本、5.3.4之前的5.3.0版本和5.4.3之前的5.4.0版本中的invalidRedirectUrl模板存在跨站脚本漏洞。远程攻击者可借助‘redirectUrl’参数利用该漏洞注入任意的HTML或JavaScript代码。

Severity

中

Patch Name

Atlassian Application Links跨站脚本漏洞（CNVD-2018-10218）的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://ecosystem.atlassian.net/browse/APL-1363

Reference

https://ecosystem.atlassian.net/browse/APL-1363

Impacted products

Name
['Atlassian Application Links <5.2.7', 'Atlassian Application Links 5.3.0，<5.3.4', 'Atlassian Application Links 5.4.0，<5.4.3']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "104188"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-16860",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16860"
    }
  },
  "description": "Atlassian Application Links\u662f\u6fb3\u5927\u5229\u4e9aAtlassian\u516c\u53f8\u7684\u4e00\u6b3e\u4f7f\u7528\u5728Atlassian\u4ea7\u54c1\u4e2d\u7528\u4e8e\u521b\u5efa\u8fde\u63a5\u5230\u5176\u4ed6\u5e94\u7528\u7a0b\u5e8f\u4e2d\u7684\u6309\u94ae\u7684\u63d2\u4ef6\u3002\r\n\r\nAtlassian Application Links 5.2.7\u4e4b\u524d\u7248\u672c\u30015.3.4\u4e4b\u524d\u76845.3.0\u7248\u672c\u548c5.4.3\u4e4b\u524d\u76845.4.0\u7248\u672c\u4e2d\u7684invalidRedirectUrl\u6a21\u677f\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u2018redirectUrl\u2019\u53c2\u6570\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610f\u7684HTML\u6216JavaScript\u4ee3\u7801\u3002",
  "discovererName": "Atlassian",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://ecosystem.atlassian.net/browse/APL-1363",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-10218",
  "openTime": "2018-05-23",
  "patchDescription": "Atlassian Application Links\u662f\u6fb3\u5927\u5229\u4e9aAtlassian\u516c\u53f8\u7684\u4e00\u6b3e\u4f7f\u7528\u5728Atlassian\u4ea7\u54c1\u4e2d\u7528\u4e8e\u521b\u5efa\u8fde\u63a5\u5230\u5176\u4ed6\u5e94\u7528\u7a0b\u5e8f\u4e2d\u7684\u6309\u94ae\u7684\u63d2\u4ef6\u3002\r\n\r\nAtlassian Application Links 5.2.7\u4e4b\u524d\u7248\u672c\u30015.3.4\u4e4b\u524d\u76845.3.0\u7248\u672c\u548c5.4.3\u4e4b\u524d\u76845.4.0\u7248\u672c\u4e2d\u7684invalidRedirectUrl\u6a21\u677f\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u2018redirectUrl\u2019\u53c2\u6570\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610f\u7684HTML\u6216JavaScript\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Atlassian Application Links\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2018-10218\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Atlassian Application Links \u003c5.2.7",
      "Atlassian Application Links 5.3.0\uff0c\u003c5.3.4",
      "Atlassian Application Links 5.4.0\uff0c\u003c5.4.3"
    ]
  },
  "referenceLink": "https://ecosystem.atlassian.net/browse/APL-1363",
  "serverity": "\u4e2d",
  "submitTime": "2018-05-23",
  "title": "Atlassian Application Links\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2018-10218\uff09"
}

CVE-2017-16860 (GCVE-0-2017-16860)

Vulnerability from cvelistv5 – Published: 2018-05-14 13:00 – Updated: 2024-09-17 00:10

Summary

The invalidRedirectUrl template in Atlassian Application Links before version 5.2.7, from version 5.3.0 before version 5.3.4 and from version 5.4.0 before version 5.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the redirectUrl parameter link in the redirect warning message.

Severity ?

No CVSS data available.

CWE

Cross Site Scripting (XSS)

Assigner

atlassian

References

URL

Tags

	https://ecosystem.atlassian.net/browse/APL-1363	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/104188	vdb-entryx_refsource_BID

Impacted products

	Vendor	Product	Version
	Atlassian	Application Links	Affected: unspecified , < 5.2.7 (custom) Affected: 5.3.0 , < unspecified (custom) Affected: unspecified , < 5.3.4 (custom) Affected: 5.4.0 , < unspecified (custom) Affected: unspecified , < 5.4.3 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T20:35:21.221Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://ecosystem.atlassian.net/browse/APL-1363"
          },
          {
            "name": "104188",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/104188"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Application Links",
          "vendor": "Atlassian",
          "versions": [
            {
              "lessThan": "5.2.7",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "5.3.0",
              "versionType": "custom"
            },
            {
              "lessThan": "5.3.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "5.4.0",
              "versionType": "custom"
            },
            {
              "lessThan": "5.4.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2018-05-14T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The invalidRedirectUrl template in Atlassian Application Links before version 5.2.7, from version 5.3.0 before version 5.3.4 and from version 5.4.0 before version 5.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the redirectUrl parameter link in the redirect warning message."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross Site Scripting (XSS)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-05-17T09:57:01",
        "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "shortName": "atlassian"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://ecosystem.atlassian.net/browse/APL-1363"
        },
        {
          "name": "104188",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/104188"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@atlassian.com",
          "DATE_PUBLIC": "2018-05-14T00:00:00",
          "ID": "CVE-2017-16860",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Application Links",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "5.2.7"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "5.3.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "5.3.4"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "5.4.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "5.4.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Atlassian"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The invalidRedirectUrl template in Atlassian Application Links before version 5.2.7, from version 5.3.0 before version 5.3.4 and from version 5.4.0 before version 5.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the redirectUrl parameter link in the redirect warning message."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross Site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ecosystem.atlassian.net/browse/APL-1363",
              "refsource": "CONFIRM",
              "url": "https://ecosystem.atlassian.net/browse/APL-1363"
            },
            {
              "name": "104188",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/104188"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
    "assignerShortName": "atlassian",
    "cveId": "CVE-2017-16860",
    "datePublished": "2018-05-14T13:00:00Z",
    "dateReserved": "2017-11-16T00:00:00",
    "dateUpdated": "2024-09-17T00:10:37.417Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-10218

CVE-2017-16860 (GCVE-0-2017-16860)

Tags

Sightings

Nomenclature