Improper Authorization Vulnerability in Atlassian Fisheye and Crucible Allows Unauthorized Removal of User's Favourite Setting

Improper Authorization Vulnerability in Atlassian Fisheye and Crucible Allows Unauthorized Removal of User's Favourite Setting

CVE-2019-15009 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

The /json/profile/removeStarAjax.do resource in Atlassian Fisheye and Crucible before version 4.8.0 allows remote attackers to remove another user's favourite setting for a project via an improper authorization vulnerability.

Learn more about our User Device Pen Test.