Atlassian Jira <7.13.3/8.0.0-8.1.1 - Incorrect Authorization

Atlasssian Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 is susceptible to incorrect authorization. The ManageFilters.jspa resource allows a remote attacker to enumerate usernames via an incorrect authorization check, thus possibly obtaining sensitive information, modifyi...

GitLab Enterprise Edition - Server-Side Request Forgery

An issue was discovered in GitLab Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. The Jira integration feature is vulnerable to an unauthenticated blind SSRF issue. id: CVE-2019-6793 info: name: GitLab Enterprise Edition - Server-Side Request Forgery author:...

Jira < 8.1.1 - Cross-Site Scripting

Jira before 8.1.1 contains a cross-site scripting vulnerability via ConfigurePortalPages.jspa resource in the searchOwnerUserName parameter. id: CVE-2019-3402 info: name: Jira 8.1.1 - Cross-Site Scripting author: pdteam severity: medium description: | Jira before 8.1.1 contains a cross-site...

STAGIL Navigation for Jira Menu & Themes <2.0.52 - Local File Inclusion

STAGIL Navigation for Jira Menu & Themes plugin before 2.0.52 is susceptible to local file inclusion via modifying the fileName parameter to the snjFooterNavigationConfig endpoint. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site...

Jira Rainbow.Zen - Cross-Site Scripting

Jira Rainbow.Zen contains a cross-site scripting vulnerability via Jira/secure/BrowseProject.jspa which allows remote attackers to inject arbitrary web script or HTML via the id parameter. id: CVE-2007-0885 info: name: Jira Rainbow.Zen - Cross-Site Scripting author: geeknik severity: medium...

Jira Improper Authorization

The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check. id: CVE-2019-8446 info: name: Jira Improper Authorization author: dhiyaneshDk severity: medium description: The /rest/issueNav/1/issueTable...

Jira Server Pre-Auth - Arbitrary File Retrieval (WEB-INF, META-INF)

The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. id: CVE-2020-29453 info: name: Jira Server Pre-Auth - Arbitrary File...

Atlassian Jira IconURIServlet - Cross-Site Scripting/Server-Side Request Forgery

The Atlassian Jira IconUriServlet of the OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 contains a cross-site scripting vulnerability which allows remote attackers to access the content of internal network resources and/or perform an attack via...

CVE-2026-6673

Mattermost versions 11.7.x = 11.7.0, 11.6.x = 11.6.2, 11.5.x = 11.5.5, 10.11.x = 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the...

CVE-2026-6062 IDOR in Jira plugin subscription edit endpoint

Mattermost versions 11.7.x = 11.7.0, 11.6.x = 11.6.2, 11.5.x = 11.5.5, 10.11.x = 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT...

CVE-2026-6062

CVE-2026-6062 affects Mattermost versions 11.7.x ≤ 11.7.0, 11.6.x ≤ 11.6.2, 11.5.x ≤ 11.5.5, and 10.11.x ≤ 10.11.17. The issue is a logic flaw where the system fails to validate channel ownership of an existing subscription before applying edits, enabling an authenticated attacker to hijack subsc...

CVE-2026-6673 Mattermost Jira plugin had unauthenticated {{/ac/installed}} lifecycle callback during pending Jira Cloud install

Mattermost versions 11.7.x = 11.7.0, 11.6.x = 11.6.2, 11.5.x = 11.5.5, 10.11.x = 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the...

CVE-2026-6673

Mattermost versions 11.7.x = 11.7.0, 11.6.x = 11.6.2, 11.5.x = 11.5.5, 10.11.x = 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the...

EUVD-2026-38249

Mattermost versions 11.7.x = 11.7.0, 11.6.x = 11.6.2, 11.5.x = 11.5.5, 10.11.x = 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the...

CVE-2026-6673

Mattermost Jira plugin (CVE-2026-6673) authenticates poorly during Atlassian Connect install. Affected Mattermost versions (11.7.x &lt;= 11.7.0, 11.6.x &lt;= 11.6.2, 11.5.x &lt;= 11.5.5, 10.11.x

Jira Subversion ALM for Enterprise <8.8.2 - Cross-Site Scripting

Jira Subversion ALM for Enterprise before 8.8.2 contains a cross-site scripting vulnerability at multiple locations. id: CVE-2020-9344 info: name: Jira Subversion ALM for Enterprise 8.8.2 - Cross-Site Scripting author: madrobot severity: medium description: Jira Subversion ALM for Enterprise befo...

Atlassian Jira Server/Data Center <8.5.8/8.6.0 - 8.11.1 - Information Disclosure

Atlassian Jira Server and Data Center before 8.5.8 and 8.6.0 through 8.11.1 are susceptible to information disclosure via the /secure/QueryComponent!Default.jspa endpoint. An attacker can view custom field names and custom SLA names. id: CVE-2020-14179 info: name: Atlassian Jira Server/Data Cente...

Atlassian Jira WallboardServlet <7.13.1 - Cross-Site Scripting

The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross-site scripting vulnerability in the cyclePeriod parameter. id: CVE-2018-20824 info: name: Atlassian Jira WallboardServlet 7.13.1 - Cross-Site Scripting author:...

JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE)

The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object. id: CVE-2017-5983 info: name:...

STAGIL Navigation for Jira Menu & Themes <2.0.52 - Local File Inclusion

STAGIL Navigation for Jira Menu & Themes plugin before 2.0.52 is susceptible to local file inclusion via modifying the fileName parameter to the snjCustomDesignConfig endpoint. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This...