The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch.

Related CVEs

CVE-2017-18034

Key Information

GHSA ID

GHSA-x7hq-f29f-78q8

Published

May 13, 2022 1:13 AM

Last Modified

May 13, 2022 1:13 AM

CVSS Score

5.0 /10

Primary Ecosystem

Unknown

Primary Package

Unknown

GitHub Reviewed

✗ No

Dataset

Last updated: July 29, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.