CVE-2020-4023

low-risk

Published 2020-06-01

The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the committerFilter parameter.

Do I need to act?

0.34% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Crucible

Fisheye

Affected Vendors

Atlassian

References (4)

Vendor Advisory https://jira.atlassian.com/browse/CRUC-8482

Vendor Advisory https://jira.atlassian.com/browse/FE-7298

Vendor Advisory https://jira.atlassian.com/browse/CRUC-8482

Vendor Advisory https://jira.atlassian.com/browse/FE-7298

/ 100

low-risk

Severity 21/34 · High

Exploitability 1/34 · Minimal

Exposure 7/34 · Low