Lucene search
K

454 matches found

Prion
Prion
added 2013/07/01 9:55 p.m.20 views

Xxe

Atlassian Crowd 2.5.x before 2.5.4, 2.6.x before 2.6.3, 2.3.8, and 2.4.9 allows remote attackers to read arbitrary files and send HTTP requests to intranet servers via a request to 1 /services/2 or 2 services/latest with a DTD containing an XML external entity declaration in conjunction with an...

5.8CVSS7.2AI score0.01758EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2013/07/01 9:0 p.m.42 views

CVE-2013-3925

Atlassian Crowd 2.5.x before 2.5.4, 2.6.x before 2.6.3, 2.3.8, and 2.4.9 allows remote attackers to read arbitrary files and send HTTP requests to intranet servers via a request to 1 /services/2 or 2 services/latest with a DTD containing an XML external entity declaration in conjunction with an...

9AI score0.01758EPSS
Exploits1References2
CVE
CVE
added 2013/07/01 9:0 p.m.48 views

CVE-2013-3926

Atlassian Crowd 2.6.3 is cited as vulnerable to remote command execution via unspecified vectors related to a “symmetric backdoor.” The vendor publicly stated they could not reproduce the issue as of 2013-07-04 and provided no detail or patch information; no concrete exploit details are included....

7.5CVSS7.8AI score0.01937EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2013/07/01 9:0 p.m.25 views

CVE-2013-3926

Atlassian Crowd 2.6.3 allows remote attackers to execute arbitrary commands via unspecified vectors related to a "symmetric backdoor." NOTE: as of 20130704, the vendor could not reproduce the issue, stating "We've been unable to substantiate the existence of CVE-2013-3926. The author of the artic...

7.6AI score0.01937EPSS
Exploits1References2
CVE
CVE
added 2013/07/01 9:0 p.m.67 views

CVE-2013-3925

CVE-2013-3925 affects Atlassian Crowd prior to version 2.5.4, 2.6.x prior to 2.6.3, as well as 2.3.8 and 2.4.9. The flaw is an XML External Entity (XXE) vulnerability that enables remote attackers to read arbitrary files and cause requests to intranet servers by crafting a request to /services/2 ...

5.8CVSS8.9AI score0.01758EPSS
Exploits1References2Affected Software1
Atlassian
Atlassian
added 2013/07/01 4:52 a.m.33 views

Force change of password when enabling the default applications in crowd

Currently it is too easy for an administrator to click through the crowd setup wizard and enable the openid & demo application and not set passwords for either of the applications. It should not be possible to enable a default application without first changing the default password...

3.7AI score
Exploits0Affected Software1
Positive Technologies
Positive Technologies
added 2013/07/01 12:0 a.m.5 views

PT-2013-4747 · Atlassian · Crowd

Name of the Vulnerable Software and Affected Versions: Atlassian Crowd versions 2.3.8 Atlassian Crowd versions 2.4.9 Atlassian Crowd versions 2.5.x through 2.5.3 Atlassian Crowd versions 2.6.x through 2.6.2 Description: The issue allows remote attackers to read arbitrary files and send HTTP...

5.8CVSS6.5AI score0.01758EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2013/07/01 12:0 a.m.4 views

PT-2013-4748 · Atlassian · Crowd

Name of the Vulnerable Software and Affected Versions: Atlassian Crowd version 2.6.3 Description: The issue allows remote attackers to execute arbitrary commands. The vendor was unable to reproduce the issue as of 20130704 and stated that they could not substantiate the existence of the problem d...

7.5CVSS7.6AI score0.01937EPSS
Exploits1References4
Atlassian
Atlassian
added 2013/06/18 10:44 p.m.84 views

Parsing of external XML entities can be exploited to retrieve files or make HTTP requests on the target network

h3. Description This issue has been assigned CVE-2013-3925 by Mitre Corporation. Previously reported issue CVE-2012-2926 August 2012, CVSS score 6.4 was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing. The n...

9.1CVSS0.1AI score0.66578EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2013/06/18 10:44 p.m.36 views

Parsing of external XML entities can be exploited to retrieve files or make HTTP requests on the target network

h3. Description This issue has been assigned CVE-2013-3925 by Mitre Corporation. Previously reported issue CVE-2012-2926 August 2012, CVSS score 6.4 was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing. The n...

5.8CVSS0.1AI score0.01758EPSS
Exploits1
Atlassian
Atlassian
added 2013/05/23 12:31 a.m.28 views

The group # in crowd and confluence is different

I used confluence 4.3.7, and integrated with crowd 2.4.2 following the instruction. The issue is that a user is assigned to group confluence-users in crowd, but the group is not shown up in confluence . Here are what I did: Checking in confluence -- users -- detail, shows in groups: no...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/05/23 12:31 a.m.23 views

The group # in crowd and confluence is different

I used confluence 4.3.7, and integrated with crowd 2.4.2 following the instruction. The issue is that a user is assigned to group confluence-users in crowd, but the group is not shown up in confluence . Here are what I did: Checking in confluence -- users -- detail, shows in groups: no...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/05/23 12:31 a.m.23 views

The group # in crowd and confluence is different

I used confluence 4.3.7, and integrated with crowd 2.4.2 following the instruction. The issue is that a user is assigned to group confluence-users in crowd, but the group is not shown up in confluence . Here are what I did: Checking in confluence -- users -- detail, shows in groups: no...

1.4AI score
Exploits0
ThreatPost
ThreatPost
added 2012/09/27 4:0 p.m.19 views

Analysis Shows Some URL Shorteners Often Point to Untrusted Websites

In an analysis of 1.7 billion shortened URLs, researchers at Web of Trust found that 8.7 percent of TinyURLs and five percent of Bit.ly URLs lead to sites that received poor ratings for ‘trustworthiness’ and ‘child protection.’ “Certainly the URL shortening services don’t intend to point people t...

0.1AI score
Exploits0References2
Atlassian
Atlassian
added 2012/09/10 4:14 a.m.22 views

The JIRA/Crowd applications fail to properly sanitize user input in the query string of the website or in the value of a parameter

We need to avoid Cross-site Scripting vulnerabilities. A function should be created to provide server side and client side input validation where applicable. Special characters should be stripped out during the validation process. The following special characters should be stripped out if...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/09/10 4:14 a.m.23 views

The JIRA/Crowd applications fail to properly sanitize user input in the query string of the website or in the value of a parameter

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-29640. panel We need to avoid Cross-site Scripting vulnerabilities. A function should be created to provide server side and client side input...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/09/10 4:14 a.m.60 views

The JIRA/Crowd applications fail to properly sanitize user input in the query string of the website or in the value of a parameter

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-29640. panel We need to avoid Cross-site Scripting vulnerabilities. A function should be created to provide server side and client side inpu...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/08/04 9:29 a.m.23 views

Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match

Starting JIRA 5.1, the embedded crowd has been upgraded from version 2.3.2 to 2.4. This includes the security fix CWD-2690 won't be visible to public that has been announced in Crowd 2.3.6 release notes - Crowd 2.3.6 Release...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/08/04 9:29 a.m.18 views

Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-29213. panel Starting JIRA 5.1, the embedded crowd has been upgraded from version 2.3.2 to 2.4. This includes the security fix CWD-2690 won't...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/08/04 9:29 a.m.23 views

Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-29213. panel Starting JIRA 5.1, the embedded crowd has been upgraded from version 2.3.2 to 2.4. This includes the security fix CWD-2690 won'...

0.6AI score
Exploits0Affected Software1
Rows per page
Query Builder