Lucene search
K

2907 matches found

Atlassian
Atlassian
added 2007/10/16 1:27 a.m.17 views

DWR debug mode is enabled

This gives a potential attacker lots of information about available AJAX request handlers in Confluence...

4AI score
Exploits0
Atlassian
Atlassian
added 2007/10/12 10:49 p.m.27 views

Security Issue: XSS in wiki exception error page

The confluence wiki does contain a XSS possibility in the exception error page. The user input string is NOT output encoded at following lines: a - - Query String: url=alertdocument.cookie b - javax.servlet.forward.querystring : url=alertdocument.cookie c - atlassian.core.seraph.original.url :...

6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/10/12 10:49 p.m.23 views

Security Issue: XSS in wiki exception error page

The confluence wiki does contain a XSS possibility in the exception error page. The user input string is NOT output encoded at following lines: a - - Query String: url=alertdocument.cookie b - javax.servlet.forward.querystring : url=alertdocument.cookie c - atlassian.core.seraph.original.url :...

6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/10/12 10:49 p.m.21 views

Security Issue: XSS in wiki exception error page

The confluence wiki does contain a XSS possibility in the exception error page. The user input string is NOT output encoded at following lines: a - - Query String: url=alertdocument.cookie b - javax.servlet.forward.querystring : url=alertdocument.cookie c - atlassian.core.seraph.original.url :...

6AI score
Exploits0
Atlassian
Atlassian
added 2007/10/03 2:58 a.m.19 views

Velocity does not automatically escape HTML entities when substituting variables

Velocity should automatically escape encode HTML entities in variables it interpolates in markup. This would remove the need for explicitly escaping variables using $generalUtil.htmlEncode, and fix lots of XSS bugs including ones we haven't discovered yet. This affects all versions of Confluence...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/10/03 2:58 a.m.32 views

Velocity does not automatically escape HTML entities when substituting variables

Velocity should automatically escape encode HTML entities in variables it interpolates in markup. This would remove the need for explicitly escaping variables using $generalUtil.htmlEncode, and fix lots of XSS bugs including ones we haven't discovered yet. This affects all versions of Confluence...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/10/03 2:58 a.m.24 views

Velocity does not automatically escape HTML entities when substituting variables

Velocity should automatically escape encode HTML entities in variables it interpolates in markup. This would remove the need for explicitly escaping variables using $generalUtil.htmlEncode, and fix lots of XSS bugs including ones we haven't discovered yet. This affects all versions of Confluence...

2.2AI score
Exploits0
Atlassian
Atlassian
added 2007/09/06 6:57 p.m.20 views

Option to disable "secure" cookie when using HTTPS just for login page

Confluence's "remember me" tickbox doesn't work if the login page is secure, but the rest of the application is unsecured. Seraph's CookieUtils.setCookie method create a secure cookie ref|http://www.apps.ietf.org/rfc/rfc2965.htmlpage-7 if the request had a secure URL, and this cookie isn't sent b...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/09/06 6:57 p.m.23 views

Option to disable "secure" cookie when using HTTPS just for login page

Confluence's "remember me" tickbox doesn't work if the login page is secure, but the rest of the application is unsecured. Seraph's CookieUtils.setCookie method create a secure cookie ref|http://www.apps.ietf.org/rfc/rfc2965.htmlpage-7 if the request had a secure URL, and this cookie isn't sent b...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/09/05 8:3 p.m.18 views

Only allow basic formatting macros in comments

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-9387. panel Currently it is possible for users with create comments permission to embed macros in these comments. This is a...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/09/05 8:3 p.m.21 views

Only allow basic formatting macros in comments

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-9387. panel Currently it is possible for users with create comments permission to embed macros in these comments. This is a...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/08/31 4:13 a.m.16 views

Numerous XSS Type 2 vulnerabilities in macros bundled with Confluence

'd like to report critical vulnerabilities in 3 of your macros - Column, Image, Block and Code macros. The vulnerabilities are classified as XSS Type 2 stored and the details with example exploits are in the pdfs attached. Because of similarity of the vulnerabilities assume that it is more than...

6.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/08/31 4:13 a.m.23 views

Numerous XSS Type 2 vulnerabilities in macros bundled with Confluence

'd like to report critical vulnerabilities in 3 of your macros - Column, Image, Block and Code macros. The vulnerabilities are classified as XSS Type 2 stored and the details with example exploits are in the pdfs attached. Because of similarity of the vulnerabilities assume that it is more than...

6.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/08/31 4:13 a.m.19 views

Numerous XSS Type 2 vulnerabilities in macros bundled with Confluence

'd like to report critical vulnerabilities in 3 of your macros - Column, Image, Block and Code macros. The vulnerabilities are classified as XSS Type 2 stored and the details with example exploits are in the pdfs attached. Because of similarity of the vulnerabilities assume that it is more than...

6.6AI score
Exploits0
Atlassian
Atlassian
added 2007/08/28 5:57 a.m.25 views

Unwanted Access to File System via Import Pages Functionality

security vulnerability found in Confluence 2.5.6 Space administrator can use the "Import Pages from Disk" feature to browse the server file system by pointing the importer at "/" folder or any other folder. Because this folder doesn't contain expected files, an error message is displayed,...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/08/28 5:57 a.m.19 views

Unwanted Access to File System via Import Pages Functionality

security vulnerability found in Confluence 2.5.6 Space administrator can use the "Import Pages from Disk" feature to browse the server file system by pointing the importer at "/" folder or any other folder. Because this folder doesn't contain expected files, an error message is displayed,...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/24 7:51 a.m.18 views

Reflected XSS Vulnerability in the Feed Builder

---- Input in the Feed Builder is not properly handled. Insert: code "alert'Gotcha!' code as the feed name title and you get url like this:...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/23 11:45 a.m.20 views

Vulnerability against DoS attack via labels

Description: When you give more labels to a content, then Confluence split up the user input on spaces, and then make az SQL query against each word or something like this. Exploit: Giving x thousand characters depends on the machine separated by space as label results the system is breaking down...

3.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/23 11:45 a.m.26 views

Vulnerability against DoS attack via labels

Description: When you give more labels to a content, then Confluence split up the user input on spaces, and then make az SQL query against each word or something like this. Exploit: Giving x thousand characters depends on the machine separated by space as label results the system is breaking down...

3.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/23 11:45 a.m.16 views

Vulnerability against DoS attack via labels

Description: When you give more labels to a content, then Confluence split up the user input on spaces, and then make az SQL query against each word or something like this. Exploit: Giving x thousand characters depends on the machine separated by space as label results the system is breaking down...

3.2AI score
Exploits0
Rows per page
Query Builder