CVE-2018-20239

Summary

Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0.

Affected Software

VendorProductVersion RangeStatus
AtlassianAtlassian Application Linksunspecified < 5.0.11affected
AtlassianAtlassian Application Links5.1.0 < unspecifiedaffected
AtlassianAtlassian Application Linksunspecified < 5.2.10affected
AtlassianAtlassian Application Links5.3.0 < unspecifiedaffected
AtlassianAtlassian Application Linksunspecified < 5.3.6affected
AtlassianAtlassian Application Links5.4.0 < unspecifiedaffected
AtlassianAtlassian Application Linksunspecified < 5.4.12affected
AtlassianAtlassian Application Links6.0.0 < unspecifiedaffected
AtlassianAtlassian Application Linksunspecified < 6.0.4affected

Weaknesses

  • Cross Site Scripting (XSS)

ADP Enrichment

CVE Program Container

Additional References

References