Stash security advisory 2012-09-04
This advisory discloses a security vulnerability that we have found in Stash and fixed in Stash 1.1.2.
Customers who have downloaded and installed Stash should upgrade their existing Stash installations to fix this vulnerability.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.
In this advisory:
Atlassian rates the severity level of this vulnerability as High, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, medium or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment. This vulnerability is not of Critical severity.
This vulnerability affects all supported versions of Stash, and has been fixed in Stash 1.1.2. This issue can be tracked here: BSERV-2676 - Persistent Cross Site Scripting Vulnerability Closed
We strongly recommend upgrading your Stash installation to fix this vulnerability. Please see the 'Fix' section below.
The vulnerability and fix version are described in the 'Description' section above.
We recommend that you upgrade to the latest version of Stash, if possible. For a full description of the latest version of Stash, see the release notes. You can download the latest version of Stash from the download centre.
Patches are not available for this vulnerability.
Was this helpful?
Thanks for your feedback!