Stash security advisory 2012-09-04
This advisory discloses a security vulnerability that we have found in Stash and fixed in Stash 1.1.2.
Customers who have downloaded and installed Stash should upgrade their existing Stash installations to fix this vulnerability.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
このアドバイザリに関してご質問や懸念がある場合は、https://support.atlassian.com/ でサポート リクエストを起票してください。
In this advisory:
XSS 脆弱性
深刻度
Atlassian rates the severity level of this vulnerability as High, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment. This vulnerability is not of Critical severity.
説明
We have identified and fixed a persistent cross-site scripting (XSS) vulnerability that affects Stash instances, including publicly available instances (that is, Internet-facing servers). XSS vulnerabilities allow an attacker to embed their own JavaScript into a Stash page.
You can read more about XSS attacks at cgisecurity.com, The Web Application Security Consortium and other places on the web.
This vulnerability affects all supported versions of Stash, and has been fixed in Stash 1.1.2. This issue can be tracked here: STASH-2676 - Getting issue details... STATUS
Risk Mitigation
We strongly recommend upgrading your Stash installation to fix this vulnerability. Please see the 'Fix' section below.
修正
アップグレード
脆弱性と修正バージョンは、上記の「説明」セクションで説明されています。
We recommend that you upgrade to the latest version of Stash, if possible. For a full description of the latest version of Stash, see the release notes. You can download the latest version of Stash from the download centre.
Patches are not available for this vulnerability.