Malicious code in applinks (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c927df7579cbb8f129291c2b42746cc225d15855b821f735300d1773cbee4e5f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

JSW Server not vulnerable to an Insecure Deserialization issue in Jackson Databind - CVE-2018-14720

Scanners may falsely flag some versions of Jira Software Server before 8.5.5 as vulnerable to an Insecure Deserialization issue in Jackson Databind CVE-2018-14720. This vulnerability in a transitive dependency was being flagged because Jira Software assumed the version of applinks provided by Jir...

Information disclosure in the /rest/jira-ril/1.0/jira-rest/applinks resource in the crucible-jira-ril plugin - CVE-2020-4017

The /rest/jira-ril/1.0/jira-rest/applinks resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to get information about any configured Jira application links via an information disclosure vulnerability...

Network enumeration via CSRF in Applinks endpoint

The Applinks endpoint in Atlassian Jira Server and Data Center in affected versions allows remote attackers to enumerate local network resources via a cross-site request forgery CSRF vulnerability. Affected versions: version 8.5.4 8.6.0 ≤ version 8.7.0 Fixed versions: 8.5.4 8.7.0...

Improper Authorization in Applinks - CVE-2019-20105

The Application links plugin used in Atlassian Confluence Server and Data Center before version 6.13.11, and from version 6.14.0 before version 7.3.3 allows remote attackers with administrator privileges to edit existing applinks without passing WebSudo via an improper authorization check. See...

Improper Authorization in Applinks - CVE-2019-20105

The Application links plugin used in Atlassian Confluence Server and Data Center before version 6.13.11, and from version 6.14.0 before version 7.3.3 allows remote attackers with administrator privileges to edit existing applinks without passing WebSudo via an improper authorization check. See...

Improper Authorization in Applinks - CVE-2019-20105

The Application links plugin used in Atlassian Jira Server and Data Center before version 7.13.12, from version 8.0.0 before version 8.5.4 and from version 8.6.0 before version 8.6.1 allows remote attackers with administrator privileges to edit existing applinks without passing WebSudo via an...

Editing Applinks with Admin account without requiring Administrator Access (WebSudo)

h3. Issue Summary Applink can be edited without needing to log in with WebSudo access if given direct URL - $baseURL/plugins/servlet/applinks/edit/$appLink-ID User will still need to be an administrator to make this change as the page will only be accessible by an administrator as non-admin users...

Bruteforce Attack via Applinks Servlet

An attacker is able to perform bruteforce attacks via the applinks servlet. There is no captcha protection, nor do accounts get locked out after excessive attempts. The attacker can input a username, and perform bruteforce attacks on the login form. The core issue is that there is no login attemp...

Bruteforce Attack via Applinks Servlet

An attacker is able to perform bruteforce attacks via the applinks servlet. There is no captcha protection, nor do accounts get locked out after excessive attempts. The attacker can input a username, and perform bruteforce attacks on the login form. The core issue is that there is no login attemp...

Applink configuration data is exposed anonymously

If you make an anonymous GET request to /rest/issueLinkAppLink/1/appLink/info , the instance will tell you all the names, IDs and URLs of the applinks configured on the instance. e.g. an anonymous request to https://jira.atlassian.com/rest/issueLinkAppLink/1/appLink/info returns code:javascript...