454 matches found
Xxe
Atlassian Crowd 2.5.x before 2.5.4, 2.6.x before 2.6.3, 2.3.8, and 2.4.9 allows remote attackers to read arbitrary files and send HTTP requests to intranet servers via a request to 1 /services/2 or 2 services/latest with a DTD containing an XML external entity declaration in conjunction with an...
CVE-2013-3925
Atlassian Crowd 2.5.x before 2.5.4, 2.6.x before 2.6.3, 2.3.8, and 2.4.9 allows remote attackers to read arbitrary files and send HTTP requests to intranet servers via a request to 1 /services/2 or 2 services/latest with a DTD containing an XML external entity declaration in conjunction with an...
CVE-2013-3926
Atlassian Crowd 2.6.3 is cited as vulnerable to remote command execution via unspecified vectors related to a “symmetric backdoor.” The vendor publicly stated they could not reproduce the issue as of 2013-07-04 and provided no detail or patch information; no concrete exploit details are included....
CVE-2013-3926
Atlassian Crowd 2.6.3 allows remote attackers to execute arbitrary commands via unspecified vectors related to a "symmetric backdoor." NOTE: as of 20130704, the vendor could not reproduce the issue, stating "We've been unable to substantiate the existence of CVE-2013-3926. The author of the artic...
CVE-2013-3925
CVE-2013-3925 affects Atlassian Crowd prior to version 2.5.4, 2.6.x prior to 2.6.3, as well as 2.3.8 and 2.4.9. The flaw is an XML External Entity (XXE) vulnerability that enables remote attackers to read arbitrary files and cause requests to intranet servers by crafting a request to /services/2 ...
Force change of password when enabling the default applications in crowd
Currently it is too easy for an administrator to click through the crowd setup wizard and enable the openid & demo application and not set passwords for either of the applications. It should not be possible to enable a default application without first changing the default password...
PT-2013-4747 · Atlassian · Crowd
Name of the Vulnerable Software and Affected Versions: Atlassian Crowd versions 2.3.8 Atlassian Crowd versions 2.4.9 Atlassian Crowd versions 2.5.x through 2.5.3 Atlassian Crowd versions 2.6.x through 2.6.2 Description: The issue allows remote attackers to read arbitrary files and send HTTP...
PT-2013-4748 · Atlassian · Crowd
Name of the Vulnerable Software and Affected Versions: Atlassian Crowd version 2.6.3 Description: The issue allows remote attackers to execute arbitrary commands. The vendor was unable to reproduce the issue as of 20130704 and stated that they could not substantiate the existence of the problem d...
Parsing of external XML entities can be exploited to retrieve files or make HTTP requests on the target network
h3. Description This issue has been assigned CVE-2013-3925 by Mitre Corporation. Previously reported issue CVE-2012-2926 August 2012, CVSS score 6.4 was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing. The n...
Parsing of external XML entities can be exploited to retrieve files or make HTTP requests on the target network
h3. Description This issue has been assigned CVE-2013-3925 by Mitre Corporation. Previously reported issue CVE-2012-2926 August 2012, CVSS score 6.4 was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing. The n...
The group # in crowd and confluence is different
I used confluence 4.3.7, and integrated with crowd 2.4.2 following the instruction. The issue is that a user is assigned to group confluence-users in crowd, but the group is not shown up in confluence . Here are what I did: Checking in confluence -- users -- detail, shows in groups: no...
The group # in crowd and confluence is different
I used confluence 4.3.7, and integrated with crowd 2.4.2 following the instruction. The issue is that a user is assigned to group confluence-users in crowd, but the group is not shown up in confluence . Here are what I did: Checking in confluence -- users -- detail, shows in groups: no...
The group # in crowd and confluence is different
I used confluence 4.3.7, and integrated with crowd 2.4.2 following the instruction. The issue is that a user is assigned to group confluence-users in crowd, but the group is not shown up in confluence . Here are what I did: Checking in confluence -- users -- detail, shows in groups: no...
Analysis Shows Some URL Shorteners Often Point to Untrusted Websites
In an analysis of 1.7 billion shortened URLs, researchers at Web of Trust found that 8.7 percent of TinyURLs and five percent of Bit.ly URLs lead to sites that received poor ratings for ‘trustworthiness’ and ‘child protection.’ “Certainly the URL shortening services don’t intend to point people t...
The JIRA/Crowd applications fail to properly sanitize user input in the query string of the website or in the value of a parameter
We need to avoid Cross-site Scripting vulnerabilities. A function should be created to provide server side and client side input validation where applicable. Special characters should be stripped out during the validation process. The following special characters should be stripped out if...
The JIRA/Crowd applications fail to properly sanitize user input in the query string of the website or in the value of a parameter
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-29640. panel We need to avoid Cross-site Scripting vulnerabilities. A function should be created to provide server side and client side input...
The JIRA/Crowd applications fail to properly sanitize user input in the query string of the website or in the value of a parameter
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-29640. panel We need to avoid Cross-site Scripting vulnerabilities. A function should be created to provide server side and client side inpu...
Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match
Starting JIRA 5.1, the embedded crowd has been upgraded from version 2.3.2 to 2.4. This includes the security fix CWD-2690 won't be visible to public that has been announced in Crowd 2.3.6 release notes - Crowd 2.3.6 Release...
Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-29213. panel Starting JIRA 5.1, the embedded crowd has been upgraded from version 2.3.2 to 2.4. This includes the security fix CWD-2690 won't...
Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-29213. panel Starting JIRA 5.1, the embedded crowd has been upgraded from version 2.3.2 to 2.4. This includes the security fix CWD-2690 won'...