Piotr Swiecicki

**Name of the Vulnerable Software and Affected Versions** Atlassian Crucible versions 4.1.0 through 4.4.0 **Description** The issue allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the `review filter title` parameter. This could potentially lead to malicious actions on the affected system. **Recommendations** For Atlassian Crucible versions 4.1.0 through 4.4.0, update to version 4.4.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Atlassian Fisheye and Crucible versions prior to 4.4.1 **Description** The issue allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file. This can be exploited by attackers to execute malicious scripts on the victim's browser. **Recommendations** For versions prior to 4.4.1, update to version 4.4.1 or later to resolve the issue. As a temporary workaround, consider restricting the ability to create or modify repository and review file names to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Atlassian Crucible versions prior to 4.4.1 **Description** The issue concerns a cross site scripting (XSS) vulnerability. It allows remote attackers to inject arbitrary HTML or JavaScript through the charset of a previously uploaded file, specifically targeting the review file upload resource. **Recommendations** For versions prior to 4.4.1, update to version 4.4.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Atlassian Fisheye versions prior to 4.4.1 **Description** The issue allows remote attackers to inject arbitrary HTML or JavaScript via a cross-site scripting (XSS) vulnerability. This is achieved through the `start date` and `end date` parameters in the repository changelog resource. **Recommendations** For versions prior to 4.4.1, update to version 4.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the repository changelog resource to minimize the risk of exploitation. Avoid using the `start date` and `end date` parameters in the affected resource until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Atlassian Fisheye and Crucible versions prior to 4.4.1 **Description** The issue allows anonymous remote attackers to read arbitrary files via a path traversal vulnerability when Fisheye or Crucible is running on the Microsoft Windows operating system. This is due to a vulnerability in the MultiPathResource class. **Recommendations** For versions prior to 4.4.1, update to version 4.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Atlassian Fisheye and Crucible versions prior to 4.4.1 **Description** The issue allows anonymous remote attackers to access sensitive information, such as email addresses of committers, due to a lack of permission checks in the mostActiveCommitters.do resource. **Recommendations** For versions prior to 4.4.1, update to version 4.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the mostActiveCommitters.do resource until a patch is applied.