Crowd Security Advisory 2010-05-04

This advisory announces a number of security vulnerabilities in earlier versions of Crowd that we have found and fixed in Crowd 2.0.4. In addition to releasing Crowd 2.0.4, we also provide point releases for earlier versions of Crowd to fix the vulnerabilities reported here.

In this advisory:

XSS Vulnerabilities


Atlassian rates these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a number of cross-site scripting (XSS) vulnerabilities which may affect Crowd instances in a public environment.

  • 攻撃者は、この脆弱性を利用して他のユーザーのセッション クッキーやその他の資格情報を盗み、その資格情報を攻撃者自身の Web サーバーに送り返す可能性があります。
  • An attacker's text and script might be displayed to other people viewing the Crowd page. This is potentially damaging to your company's reputation.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web.


The table below lists the affected areas of Crowd. These XSS vulnerabilities exist in all versions of Crowd, up to and including Crowd 2.0.3.

Crowd Feature

Issue Tracking

Crowd Administration Console


Error page


Risk Mitigation

To address the issues, you should upgrade Crowd as soon as possible. If you cannot upgrade immediately, you should configure your firewall to block Internet access to Crowd.


Crowd 2.0.4 fixes all of these issues and introduces some nice improvements too. See the release notes. You can download Crowd 2.0.4 from the download centre.

If you cannot upgrade to Crowd 2.0.4, please download the relevant upgrade file for your version of Crowd from the download centre:

最終更新日: 2014 年 10 月 14 日


Powered by Confluence and Scroll Viewport.