Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2021/02/22 11:35 a.m.69 views

Update Apache Struts 2 to avoid CVE-2020-17530

Update Apache Struts to 2.5.26 to avoid CVE-2020-17530|https://cwiki.apache.org/confluence/display/ww/s2-061...

9.8CVSS2.1AI score0.95922EPSS
Exploits11
Atlassian
Atlassian
added 2020/10/11 11:20 p.m.69 views

Security improvements to the Velocity Uberspector

This ticket documents an improvement to the Velocity Uberspector's security, locking down which classes can be accessed. This change is a defence-in-depth against potential Remote Code Execution RCE and Injection attacks. The versions which do not have this improvement are before version 8.12.3...

6.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/05/20 4:18 p.m.69 views

XSS in branch name

h3. Issue Summary Advisory: Stored Cross-site scripting Description =========== Short summary of the vulnerability. A stored cross-site scripting XSS vulnerability was discovered in the Commits section of the Bitbucket application. An attacker can create a branch and inject an XSS payload into th...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/01/29 11:27 p.m.69 views

Information disclosure of project key existence vulnerability in Jira - CVE-2019-20403

The API in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to determine if a Jira project key exists or not via an information disclosure vulnerability...

5.3CVSS5.1AI score0.0147EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/18 1:19 p.m.69 views

The team calendar event notification should not contain Confluence version number

h3. Issue Summary The team calendar notification template shows the Confluence version number in the footer, which might be a security vulnerability for some customers. h3. Steps to Reproduce Create an event on the Confluence team calendar and wait for the reminder email to be sent. h3. Expected...

2.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/09 3:48 a.m.69 views

The ViewLogging class exposed various resources that were vulnerable to CSRF - CVE-2019-11587

Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery CSRF...

6.5CVSS5.9AI score0.00799EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/09 3:45 a.m.69 views

The ViewSystemInfo class doGarbageCollection method was vulnerable to CSRF - CVE-2019-11588

The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery CSRF vulnerability...

4.3CVSS6.3AI score0.00793EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/15 2:23 a.m.69 views

XSS in /includes/decorators/global-translations.jsp

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-61888. panel Somewhat hard to exploit but still doable when it comes to cache poisoning. Steps to reproduce: Tamper with a GET request to...

6.1CVSS5.9AI score0.02111EPSS
Exploits3Affected Software1
Atlassian
Atlassian
added 2015/10/26 8:4 p.m.69 views

Rest API XSS

An unauthenticated XSS vulnerability has been confirmed in confluence 5.8.15 and 5.8.14. The vulnerability is located at /rest/prototype/1/session/check/something POC URL: http:///confpath/rest/prototype/1/session/check/something%3Cimg%20src%3da%20onerror%3dalert%280%29%3E This was confirmed in t...

6.1CVSS0.6AI score0.02302EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2023/11/12 1:45 p.m.68 views

Deserialization com.fasterxml.jackson.core:jackson-databind in Jira Software Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.20.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, and 9.11.0 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.6AI score0.02656EPSS
Exploits1
Atlassian
Atlassian
added 2022/03/18 7:56 p.m.68 views

Bitbucket Data Center - Java Deserialization Vulnerability In Hazelcast - CVE-2022-26133

Update: 2022/04/08 23:00 UTC Coordinated Universal Time, +0 hours Assigned CVE-2022-26133 to this vulnerability, which was determined to be similar to CVE-2016-10750 yet slightly different and specific to Bitbucket Note the new CVE assignment does not change any other information in this advisory...

9.8CVSS3.2AI score0.71092EPSS
Exploits4
Atlassian
Atlassian
added 2021/11/01 8:34 p.m.68 views

Unicode characters allow malicious code to be hidden from a human reviewer (Confluence Server) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Confluence Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by th...

8.3CVSS3.8AI score0.12205EPSS
Exploits4
Atlassian
Atlassian
added 2021/08/16 3:40 a.m.68 views

Jira is affected by Tomcat CVE-2020-13943

Affected versions of Atlassian Jira Server and Data Center used versions of Apache Tomcat that were vulnerable to CVE-2020-13943|https://vulners.com/cve/CVE-2020-13943. The affected versions of Jira Server and Data Center are before version 8.5.14, from version 8.6.0 before 8.13.6, and from versi...

4.3CVSS5.4AI score0.57286EPSS
Exploits0
Atlassian
Atlassian
added 2021/01/19 10:18 p.m.68 views

Project enumeration via Jira Projects plugin report page - CVE-2020-29451

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate Jira projects via an Information Disclosure vulnerability in the Jira Projects plugin report page. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version...

4.3CVSS4.4AI score0.00846EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/05/29 5:19 a.m.68 views

XSS in Issue - Attachments - CVE-2020-4025

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability issue attachments with a rdf content type. Affected versions: version 8.5.5 8.6.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9.1 Fixed...

4.8CVSS5.1AI score0.00918EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/01/15 3:29 p.m.68 views

Upgrade Tomcat to 8.5.50 to fix CVE-2019-17563 & CVE-2019-12418

h3. Issue Summary The recently disclosed vulnerabilities regarding Apache Tomcat CVE-2019-12418|https://vulners.com/cve/CVE-2019-12418 CVE-2019-17563|https://vulners.com/cve/CVE-2019-17563 Which affects the following versions: Apache Tomcat 8.x from 8.5.0 before 8.5.50 We should bundle a more...

9.8CVSS8.3AI score0.9927EPSS
Exploits45Affected Software1
Atlassian
Atlassian
added 2019/08/12 3:26 a.m.68 views

User enumeration in the login.jsp resource - CVE-2019-8448

The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability...

5.3CVSS4.9AI score0.01809EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/12/03 2:27 a.m.68 views

XSS in the two-dimensional filter statistics gadget on a Jira dashboard - CVE-2018-13403

The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the name of ...

5.4CVSS3.2AI score0.00944EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/02/22 5:24 a.m.68 views

The bundled Atlassian Application Links plugin had various XSS issues - CVE-2018-5227

Application Links needs to be updated see https://ecosystem.atlassian.net/browse/APL-1356. The affected versions of Application Links is/are before version 5.4.4...

4.8CVSS2.1AI score0.00635EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/01/12 4:17 a.m.68 views

XSS through a project or filter name in the PieChart gadget - CVE-2017-16863

The PieChart gadget in Atlassian Jira before version 7.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the name of a project or filter...

6.1CVSS5.7AI score0.00809EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/05/10 10:10 a.m.67 views

SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Bitbucket Data Center and Server

This High severity org.springframework:spring-web Dependency vulnerability was introduced in versions 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0-eap01, 8.15.0, 8.16.0, 8.17.0, 8.18.0, and 8.19.0 of Bitbucket Data Center and Server...

7.8AI score
Exploits0
Atlassian
Atlassian
added 2023/10/08 8:44 a.m.67 views

RCE (Remote Code Execution) in - CVE-2022-1471

h2. Summary of Vulnerability Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE Remote Code Execution. i Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed...

9.8CVSS9.8AI score0.99615EPSS
Exploits7
Atlassian
Atlassian
added 2023/03/23 10:26 p.m.67 views

Upgrade Postgres for CVE-2022-41946

h3. Issue Summary The version of Postgresql bundled in Bitbucket is affected by CVE-2022-41946|https://nvd.nist.gov/vuln/detail/CVE-2022-41946 as described below: quote pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either...

5.5CVSS5.5AI score0.0048EPSS
Exploits1
Atlassian
Atlassian
added 2021/08/04 2:52 p.m.67 views

Vulnerable version of XStream used in Jira Server and Data Center - CVE-2021-29505

Affected versions of Atlassian Jira Server and Data Center used versions of XStream that were vulnerable to security exploits including CVE-2021-29505|http://x-stream.github.io/CVE-2021-29505.html. The affected versions of Jira Server and Data Center are before version 8.18.0. Affected versions:...

8.8CVSS8.3AI score0.77735EPSS
Exploits1
Atlassian
Atlassian
added 2021/05/06 8:5 a.m.67 views

Stored XSS on Jira Issue XML Export - CVE-2021-26082

Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in XML Export. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0. Affected...

5.4CVSS4.3AI score0.00735EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/10/28 5:45 p.m.67 views

Local file disclosure / path traversal within WEB-INF in Crucible - CVE-2020-29446

Affected versions of Atlassian Dev Tools allow remote attackers to browse local files via an Insecure Direct Object References IDOR vulnerability in WEB-INF in Fisheye/Crucible. The affected versions are before version 4.8.5. Affected versions: version 4.8.5 Fixed versions: 4.8.5 4.9.0...

5.3CVSS5.8AI score0.01144EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/07/17 7:50 a.m.67 views

XSS in malicious repository file

A malicious file added to a repository will cause an XSS to file inside of FishEye...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/06/01 6:40 a.m.67 views

JIRA puts a user's XSRF token in various resources.

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-61250. panel h5. Steps to Reproduce: Log into JIRA Log out from JIRA h5. Expected Results: The URL shown in the address bar does not show the...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/06/22 4:5 p.m.66 views

Full Read SSRF in Mobile Plugin CVE-2022-26135

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user including a user who joined via the sign-up feature to perform a full read server-side request forgery via a batch endpoint. This affects Jira Management Server and Data Center versions from versi...

6.5CVSS4.8AI score0.71169EPSS
Exploits1
Atlassian
Atlassian
added 2022/05/27 8:29 p.m.66 views

Full Read SSRF in Mobile Plugin CVE-2022-26135

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user including a user who joined via the sign-up feature to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0...

6.5CVSS6.5AI score0.71169EPSS
Exploits1
Atlassian
Atlassian
added 2021/11/01 10:27 p.m.66 views

Unicode characters allow malicious code to be hidden from a human reviewer (JSM Server & Insight asset management App) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Jira Service Management Server / DC and Insight Asset Management app where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These specia...

8.3CVSS2.9AI score0.12205EPSS
Exploits4
Atlassian
Atlassian
added 2021/10/28 2:54 a.m.66 views

Unicode characters allow malicious code to be hidden from a human reviewer (Bitbucket Server / DC) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Bitbucket Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the...

8.3CVSS4.2AI score0.12205EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2021/07/02 12:39 a.m.66 views

Cached content persisting after disabling anonymous access for allowlist URLs - CVE-2021-39113

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version...

7.5CVSS5.9AI score0.01809EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/05/07 12:16 a.m.66 views

XSS in fieldID - CVE 2021-26079

The CardLayoutConfigTable component in Jira Server and Jira Data Center before version 8.5.15, and from version 8.6.0 before version 8.13.7, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability. Affected...

6.1CVSS3.8AI score0.01237EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/03/11 7:39 p.m.66 views

Tomcat PersistenceManager vulnerabilities - CVE-2021-25329 and CVE-2021-25122

Affected versions of Atlassian Jira Server and Data Center are susceptible to Tomcat PersistenceManager vulnerabilities. Affected versions: ≤ 8.16.0 Fixed versions: pending...

7.5CVSS7.1AI score0.18114EPSS
Exploits15
Atlassian
Atlassian
added 2021/01/22 5:27 p.m.66 views

Accessing the URL /chart?filename=<file_name> exposes sensitive information - CVE-2021-26067

Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions...

5.3CVSS4.6AI score0.0111EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/08/03 12:57 a.m.66 views

Information disclosure of repository HTTP password in logs - CVE-2017-18112

Affected versions of Atlassian FishEye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. Affected versions: version 4.8.3 Fixed versions: 4.8.3 4.9.0...

6.5CVSS4.5AI score0.01019EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/08/07 4:20 a.m.66 views

The bundled Atlassian Universal Plugin Manager plugin had a XXE issue - CVE-2018-20233

The version of the bundled Atlassian Universal Plugin Manager plugin had a XML External Entity vulnerability that allowed remote attackers with system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in t...

6.5CVSS3.7AI score0.01818EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/10/02 9:6 a.m.66 views

Active Directory/LDAP credentials stored in database in cleartext

We use an Active Directory server for authenticating our JIRA users, and a MySQL server for storing our JIRA data. We were extremely alarmed to discover that the username and password used for accessing the AD server are stored in cleartext in the MySQL database. Anyone who is able to compromise...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/07/01 3:29 p.m.66 views

Subpages don't inherit permissions from parent pages (see comments for solution)

We are currently experiencing a serious issue with page restrictions. We have pages with restrictions, that have sub pages, which were created by users, that were deleted from the user directory in the meantime. These root-pages have read restrictions, set for a particular group. However, these s...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/02/10 5:56 a.m.66 views

Security vulnerability in apache commons fileupload

Apache commons-fileupload 1.3.1 was released this weekend with a fix for CVE-2014-0050, involving a DoS attack when using specially crafted multipart requests. We need to determine if Confluence is vulnerable, and if so, upgrade to this version of the library...

7.5CVSS4.5AI score0.83175EPSS
Exploits8Affected Software1
Atlassian
Atlassian
added 2013/05/08 1:31 p.m.66 views

UI Redressing (Clickjacking)

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-29230. panel Confluence is vulnerable to Clickjacking|https://en.wikipedia.org/wiki/Clickjacking. That is, it is possible to fra...

Exploits0Affected Software1
Atlassian
Atlassian
added 2023/09/11 9:13 p.m.65 views

RCE (Remote Code Execution) in Confluence Data Center and Server - CVE-2022-1471

h2. Summary of Vulnerability Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE Remote Code Execution. i Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed v...

9.8CVSS7.2AI score0.99615EPSS
Exploits7
Atlassian
Atlassian
added 2022/11/17 4:5 p.m.65 views

Upgrade Apache Commons-text for CVE-2022-42889

h3. DISCLAIMER panel:bgColor=e3fcef ! Crowd IS NOT VULNERABLE to CVE-2022-42889|https://vulners.com/cve/CVE-2022-42889. This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next...

9.8CVSS9.1AI score0.99931EPSS
Exploits41
Atlassian
Atlassian
added 2022/06/06 12:49 p.m.65 views

Jira: Multiple vulnerabilities in log4j < 1.2.17-atlassian-16

The version of log4j used by Jira has been updated from version 1.2.17-atlassian-3 to 1.2.17-atlassian-16 to address the following vulnerabilities: CVE-2021-4104|https://vulners.com/cve/CVE-2021-4104 JMSAppender is vulnerable to a deserialization flaw. A local attacker with privileges to update t...

9.8CVSS9.9AI score0.81147EPSS
Exploits10
Atlassian
Atlassian
added 2021/10/28 2:54 a.m.65 views

Unicode characters allow malicious code to be hidden from a human reviewer (Bitbucket Server / DC) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Bitbucket Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the...

8.3CVSS4.2AI score0.12205EPSS
Exploits4
Atlassian
Atlassian
added 2021/09/15 1:19 a.m.65 views

Template Injection in Email Templates leads to RCE on Jira Service Management Server - CVE-2021-39128

Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Template feature. The affected versions of Jira...

7.2CVSS6.6AI score0.01832EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/04/26 5:57 a.m.65 views

Unauthenticated users can inject messages into the XSRF token error page

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to display arbitrary messages in the application via an injection vulnerability in the XSRF token error page. The affected versions are before version 8.5.14, and from version 8.6.0 before 8.12.1. ...

6.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/03/25 3:53 a.m.65 views

Anonymously accessible Dashboards can leak private information via configured gadgets - CVE-2020-36287

The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check. Affected...

5.3CVSS5.3AI score0.08951EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2020/06/19 4:5 a.m.65 views

XSS in Navigation - Search - CVE-2020-14169

The quick search component in Atlassian Jira Server and Data Center allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability. Affected versions: version 8.9.1 Fixed versions: 8.9.1 8.10.0...

6.1CVSS6AI score0.00765EPSS
Exploits0Affected Software1
Total number of security vulnerabilities4295