13 matches found
EUVD-2019-10963
Malware in sbrugna...
Atlassian JIRA Server and Data Center Cross-Site Scripting Vulnerability (CNVD-2021-17356)
Atlassian JIRA Server and Atlassian JIRA Data Center are both products of Atlassian Australia.Atlassian JIRA Server is the server version of a defect tracking management system. Atlassian JIRA Server is the server version of a defect tracking management system that is used to track and manage all...
CVE-2019-20414
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2...
Cross site scripting
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2...
Advanced JQL Search does not Respect User email visibility Hidden
h4. Problem The advanced JQL autocomplete functionality is still showing email addresses, ignoring the User email visibility option. Basic mode does not show emails See screenshots h4. Steps to Reproduce Set User email visibility to Hidden JIRA Administration System General Configuration Edit Use...
Unauthenticated User can access certain pages on a private JIRA instance
When you enter the URL of a private JIRA instance on the Quick Search from the login page, you will be directed to the Issue Navigator. !mark2.jpg|thumbnail! If you click the "Status" drop down button, you the unauthenticated user would be able to see the status codes. !mark1.jpg|thumbnail! If yo...
Unauthenticated User can access certain pages on a private JIRA instance
When you enter the URL of a private JIRA instance on the Quick Search from the login page, you will be directed to the Issue Navigator. !mark2.jpg|thumbnail! If you click the "Status" drop down button, you the unauthenticated user would be able to see the status codes. !mark1.jpg|thumbnail! If yo...
Unauthenticated User can access certain pages on a private JIRA instance
When you enter the URL of a private JIRA instance on the Quick Search from the login page, you will be directed to the Issue Navigator. !mark2.jpg|thumbnail! If you click the "Status" drop down button, you the unauthenticated user would be able to see the status codes. !mark1.jpg|thumbnail! If yo...
JIRA Workflow Step Property jira.permission.browse allows you to view issues in issue navigator
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-35917. panel h3. Summary The JIRA Workflow Step Property jira.permission.browse does not prevent you to view issues in issue navigator. h3...
Grant "Browse Project" permission to "Current Assignee" makes project visible to all users
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report|http://jira.atlassian.com/browse/JRASERVER-31720. panel panel:title=Status Update|borderStyle=solid|borderColor=ff7f7f|titleBGColor=ff7f7f|bgColor=e5e5e5 Hi everyone, We have reviewed...
XSS vulnerability in chart saving
Create a new dashboard with the name alert"XSS" 2. Go to the issue navigator and perform a search 3. Choose Views - charts - Save to dashboard This is because portal.name is unescaped in savetodashboard.vm. Tested in OnDemand and BTF...
Deleting a custom field which has an issue security scheme or permission scheme on it does not update the index and issue navigator is out of date
emphasized textSimilar to JRA-12410 - deleting a custom field does not adequately clean up after itself. Specifically, affected issues are not reindexed so the updated security and permission aspects are not reflected in search results which is a security hole. Note that a naive fix may produce...
Deleting a custom field which has an issue security scheme or permission scheme on it does not update the index and issue navigator is out of date
emphasized textSimilar to JRA-12410 - deleting a custom field does not adequately clean up after itself. Specifically, affected issues are not reindexed so the updated security and permission aspects are not reflected in search results which is a security hole. Note that a naive fix may produce...