Security Bulletin: IBM Maximo Asset Management contains a vulnerability that could allow a remote authenticated user to view ticket worklog entries that they should not have access to (CVE-2015-5016)

Summary IBM Maximo Asset Management contains a vulnerability that could allow a remote authenticated user to view ticket worklog entries that they should not have access to. This vulnerability could allow a local attacker to obtain sensitive information. The vulnerability affects Maximo Asset...

Atlassian Jira WikiRenderer parser XSS vulnerability

Summary An exploitable XSS vulnerability exists in the WikiRenderer functionality of Atlassian Jira, from version 7.6.4 to 8.1.0. A specially crafted comment can cause a persistent XSS. An attacker can create a comment or worklog entry to trigger this vulnerability. Tested Versions Atlassian Jira...

Restricted Work Log entries show in the Activity Stream in JIRA Server

This is a regression of bug JRASERVER-34022: Restricted Work Log entries show in the Activity Stream in JIRA Server fixed in JIRA Server including JIRA Core 7.3.8|https://jira.atlassian.com/browse/JRASERVER-34022. Apparently this is a regression and users that are not meant to see the worklogs ca...

Restricted Work Log entries show in the Activity Stream for JIRA Cloud

h3. Summary When using a group comment visibility on worklogs the restriction is not applied in the Activity Stream. h3. Steps to Reproduce Set up a test user JIRA Users. Enable comment visibility to support groups as per Configuring JIRA...

REST API allows to get worklog from issue without access rights to that issue

On JIRA OnDemand v6.3-OD-08-005-WN also here! it's possible to get worklog by it's ID even if this worklog does not belong to issue passed in API url. Example: On our OnDemand instance I have access rights to . When I add worklog to this issue via REST API, I get its id . Now, when I call GET...