Improper Authorization Vulnerability in Atlassian Fisheye and Crucible Allows Unauthorized Removal of Repository Watching Settings

Improper Authorization Vulnerability in Atlassian Fisheye and Crucible Allows Unauthorized Removal of Repository Watching Settings

CVE-2020-4014 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

The /profile/deleteWatch.do resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to remove another user's watching settings for a repository via an improper authorization vulnerability.

Learn more about our User Device Pen Test.