Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2021/12/17 7:3 p.m.65 views

Upgrade Logback for CVE-2021-42550

h3. Issue Summary In the wake of Log4Shell, CVE-2021-42550 has been created for similar JNDI considerations in Logback. The Logback maintainers have removed some functionality from Logback in response and released Logback 1.2.9. Please note: There is no RCE in Logback, and there is no vulnerabili...

8.5CVSS1.8AI score0.04439EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2021/10/28 2:54 a.m.65 views

Unicode characters allow malicious code to be hidden from a human reviewer (Bitbucket Server / DC) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Bitbucket Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the...

8.3CVSS4.2AI score0.12205EPSS
Exploits4
Atlassian
Atlassian
added 2021/10/18 4:31 a.m.65 views

Anonymous users can view names of private projects and filters via Average Time in Status Gadget - CVE-2021-41306

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References IDOR vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version...

7.5CVSS5.6AI score0.0157EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/09/15 1:19 a.m.65 views

Template Injection in Email Templates leads to RCE on Jira Service Management Server - CVE-2021-39128

Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Template feature. The affected versions of Jira...

7.2CVSS6.6AI score0.01892EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/03/25 3:53 a.m.65 views

Anonymously accessible Dashboards can leak private information via configured gadgets - CVE-2020-36287

The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check. Affected...

5.3CVSS5.3AI score0.08951EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2020/06/19 4:5 a.m.65 views

XSS in Navigation - Search - CVE-2020-14169

The quick search component in Atlassian Jira Server and Data Center allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability. Affected versions: version 8.9.1 Fixed versions: 8.9.1 8.10.0...

6.1CVSS6AI score0.00765EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/06/02 3:23 p.m.65 views

Velocity Template Injection in Custom user macros - Macros Platform - CVE-2020-4027

Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. This issue was discovered and reported by GHSL team member...

6.5CVSS4.3AI score0.01515EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/07/08 11:32 p.m.65 views

Upgrade Xstream to address CVE-2016-3674

The bundled version of XStream in Fisheye before version 4.7.1 was vulnerable to CVE-2016-3674 https://nvd.nist.gov/vuln/detail/CVE-2016-3674...

7.5CVSS1.6AI score0.08179EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/08/09 3:15 a.m.65 views

reflected xss in the pageId request parameter in 500page.jsp

A scanner picked up that the pageId parameter in 500page.jsp is a potentially reflected xss bug. This can be exploited through a url like the following: https://example.com/pages/viewtrash.vm;editpage?pageId=%22%3E%3Cscript%3Ealert1%3C/script%3E code /images/icons/emoticons/warning.png" You can...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/04/16 9:46 p.m.64 views

REST API pagination (eg, /rest/api/space) returns more data than available

h3. Issue Summary This issue relates to general paginated results. Requesting data from an endpoint such as /rest/api/space or rest/api/content causes Confluence to return more data than available. This is reproducible on Data Center: yes h3. Steps to Reproduce Request /rest/api/space to collect...

7AI score
Exploits0
Atlassian
Atlassian
added 2023/12/07 9:45 p.m.64 views

XXE (XML External Entity Injection) jackson-databind in Jira Software Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.20.0, 9.4.0, 9.5.0, and 9.6.0 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N allows ...

7.5CVSS7.4AI score0.17611EPSS
Exploits0
Atlassian
Atlassian
added 2022/07/05 4:36 p.m.64 views

JSM: Multiple Servlet Filter Vulnerabilities

Multiple Servlet Filter vulnerabilities have been fixed in Jira Service Management Server and Data Center. These vulnerabilities also affect other Atlassian products. For more information, refer to Atlassian's security...

9.8CVSS1.7AI score0.04244EPSS
Exploits0
Atlassian
Atlassian
added 2021/08/25 1:6 a.m.64 views

Issue watchers continue receiving updates even after their Jira account is revoked - CVE-2021-39119

h3. Summary Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after their Jira account is revoked, via a Broken Access Control vulnerability in the issue notification feature. The affected versions are...

5.3CVSS5AI score0.00752EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/08/18 1:0 a.m.64 views

Self-xss via copying content from a PDF - CVE-2021-39111

The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the handling of supplied content such a...

6.1CVSS3.2AI score0.00978EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/04/22 9:11 p.m.64 views

Jira Server and Data Center affected by Tomcat CVE-2021-25329 and CVE-2021-25122

Affected versions of Atlassian Jira Server and Data Center used versions of Apache Tomcat that were vulnerable to CVE-2021-25329|https://nvd.nist.gov/vuln/detail/CVE-2021-25329 and CVE-2021-25122|https://nvd.nist.gov/vuln/detail/CVE-2021-25122. The affected versions are before version 8.17.0. ...

7.5CVSS7.1AI score0.18114EPSS
Exploits15
Atlassian
Atlassian
added 2020/09/03 11:53 p.m.64 views

A URL to the unknown attachment place-holder utilizes http instead of https when https is configured

h3. Issue Summary A URL to the unknown attachment place-holder utilizes http instead of https when base URL is set to https, and tomcat server.xml scheme is set to https. h3. Steps to Reproduce Create a page and add an attachment to it. Open Attachments page from the view page and remove the...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/02/17 6:0 a.m.64 views

Spring Framework Vulnerability - CVE-2020-5398

h3. Issue Summary Security vulnerability scan gave a red flag for Spring Framework plugin version that is used in Bitbucket Server version 6.10.0. The CVE-2020-5398 is being noted from the report scan. h3. Description Plugin: Spring Framework 5.0.x 5.0.16 / 5.1.x 5.1.13 / 5.2.x 5.2.3 Spring...

8CVSS3.3AI score0.88077EPSS
Exploits2
Atlassian
Atlassian
added 2019/07/08 11:7 p.m.64 views

XSS in various types of nested wiki markup - CVE-2017-18102

The bundled version of atlassian-renderer in Fisheye before version 4.7.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in nested wiki markup. For more information see https://jira.atlassian.com/browse/RNDR-153 currently restricted to...

5.4CVSS3.2AI score0.00921EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/05/21 12:23 a.m.64 views

Upgrade bundled Tomcat to 6.0.37

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-29345. panel Customer related a security flaw in Tomcat 6.0.35 and requests that we upgrade the bundled version...

6.8CVSS2.4AI score0.11975EPSS
Exploits9Affected Software1
Atlassian
Atlassian
added 2023/12/05 6:46 a.m.63 views

RCE in Confluence Data Center and Server - CVE-2023-22522

h2. Summary of Vulnerability This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker is able to achieve RCE on an affected instance. Confluence Data Center and...

9CVSS7.1AI score0.12844EPSS
Exploits0
Atlassian
Atlassian
added 2023/11/10 1:44 a.m.63 views

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote in Bamboo Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.1 and 9.3.0 of Bamboo Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H...

7.5CVSS7.2AI score0.99999EPSS
Exploits19
Atlassian
Atlassian
added 2023/01/12 10:45 p.m.63 views

Critical severity authentication vulnerability - CVE-2023-22501

An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances. With write access to a User Directory and outgoing email enabled...

9.4CVSS3.9AI score0.15978EPSS
Exploits0
Atlassian
Atlassian
added 2021/06/30 3:9 a.m.63 views

Jira Data Center & Jira Service Management Data Center - Missing Authentication for Ehcache RMI - CVE-2020-36239

h3. Issue Summary Jira Data Center, Jira Core Data Center, Jira Software Data Center, and Jira Service Management Data Center exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011 012, could execute arbitrary code of their choic...

9.8CVSS9.6AI score0.48883EPSS
Exploits1
Atlassian
Atlassian
added 2020/11/19 12:8 a.m.63 views

Remote Code Execution attack via unintentional expression in Freemarker tag - CVE-2017-12611

Affected versions of Atlassian FishEye/Crucible allow remote attackers to execute arbitrary code via a Remote Code Execution RCE vulnerability via an unintentional expression in Freemarker tags, in Apache Struts. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fix...

9.8CVSS7.8AI score0.8802EPSS
Exploits6
Atlassian
Atlassian
added 2020/10/06 10:57 p.m.63 views

XSS in Jira issue filter export file via malicious full name - CVE-2020-14184

Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in Jira issue filter export files. The affected versions are before version 8.5.9, from version 8.6.0 before 8.12.3, and from version 8.13.0 before...

5.4CVSS3.7AI score0.00944EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/02/27 10:52 p.m.63 views

SSRF via WebDAV endpoint - CVE-2019-3395

There was an SSRF vulnerability in Confluence Server and Data Center in the WebDAV plugin. A remote attacker is able to exploit this issue to send arbitrary HTTP and WebDAV requests from a Confluence Server instance. Affected versions: All versions of Confluence Server and Confluence Data Center...

9.8CVSS2.9AI score0.06712EPSS
Exploits0
Atlassian
Atlassian
added 2019/01/29 1:26 a.m.63 views

Download a deleted page via word export - CVE-2018-20237

Atlassian Confluence Server from version 6.12.0 or earlier, and before version 6.13.1, or before version 6.14.0 allows an authenticated user to download a deleted page via the word export feature...

6.5CVSS4.4AI score0.01737EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/12/12 8:33 a.m.63 views

REST endpoint user impersonation using authentication module functionality - CVE-2017-16858

The 'crowd-application' plugin module notably used by the Google Apps plugin in Atlassian Crowd from version 1.5.0 before version 3.1.2 allowed an attacker to impersonate a Crowd user in REST requests by being able to authenticate to a directory bound to an application using the feature. Given th...

6.8CVSS6.4AI score0.00576EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/05/08 5:5 a.m.63 views

Command Injection (CVE-2017-8768)

SourceTree for Windows is affected by a command injection vulnerability in URI handling. The vulnerability can be triggered through a browser or the SourceTree interface. Affected versions: Versions of SourceTree for Windows starting with 0.8.4b before version 2.0.20.1 are affected by this...

10CVSS3.1AI score0.08262EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/10/06 5:44 p.m.62 views

jackson-databind Vulnerability in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 7.17.0, 7.21.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, and 8.13.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS8.5AI score0.0486EPSS
Exploits1
Atlassian
Atlassian
added 2022/03/15 7:56 p.m.62 views

Template Injection in Email Templates - bypass of mitigation via XStream - CVE-2022-36799

This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Templat...

7.2CVSS7.8AI score0.44604EPSS
Exploits0
Atlassian
Atlassian
added 2022/03/04 1:52 a.m.62 views

CVE-2021-43954: File and network resource enumeration via SSRF in DefaultRepositoryAdminService

Affected versions of Atlassian Fisheye and Crucible allow remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery SSRF vulnerability in the DefaultRepositoryAdminService class. When runni...

4.3CVSS5AI score0.00736EPSS
Exploits0
Atlassian
Atlassian
added 2021/11/01 9:59 p.m.62 views

Unicode characters allow malicious code to be hidden from a human reviewer (Jira Server) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Jira Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the...

8.3CVSS3.9AI score0.12205EPSS
Exploits4
Atlassian
Atlassian
added 2021/07/14 11:35 a.m.62 views

Upgrade the bundled version of Apache Tomcat to 8.5.68 or later

h3. Issue Summary The recently disclosed vulnerability regarding Apache Tomcat CVE-2021-33037|https://vulners.com/cve/CVE-2021-33037, CVE-2021-33037|https://nvd.nist.gov/vuln/detail/CVE-2021-33037 Base Score: 5.3 MEDIUM CVE-2021-42340|https://vulners.com/cve/CVE-2021-42340 NVD score not yet...

7.5CVSS6.5AI score0.75353EPSS
Exploits1
Atlassian
Atlassian
added 2021/02/03 10:45 p.m.62 views

Update application links to 5.4.23 to fix CVE-2020-5398

Affected versions of Atlassian FishEye and Crucible allow remote attackers to view sensitive information via an Information Disclosure vulnerability in a vulnerable version of the Application Links component. The affected versions are before version 4.8.6. Affected versions: version 4.8.6 Fixed...

8CVSS7.4AI score0.88077EPSS
Exploits2
Atlassian
Atlassian
added 2021/01/21 1:53 a.m.62 views

Username enumeration via password reset page - CVE-2021-39125

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to discover the usernames of users via an enumeration vulnerability in the password reset page. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1. Affected versions:...

5.3CVSS6.2AI score0.01401EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/09 3:27 a.m.62 views

Missing permission check in several worklog rest resources - CVE-2019-8445

Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check...

5.3CVSS5.4AI score0.02711EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/07/08 10:50 p.m.62 views

Address CVE-2019-11358 in the bundled version of jQuery

The bundled version of jQuery in Fisheye before version 4.7.1 was vulnerable to CVE-2019-11358 https://nvd.nist.gov/vuln/detail/CVE-2019-11358. This was fixed by patching the version of jQuery bundled with Fisheye...

6.1CVSS1.5AI score0.87218EPSS
Exploits4
Atlassian
Atlassian
added 2019/02/28 3:2 a.m.62 views

Remote code execution via Widget Connector macro - CVE-2019-3396

There was a server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. ...

10CVSS3.2AI score0.99913EPSS
Exploits20
Atlassian
Atlassian
added 2012/08/09 3:15 a.m.62 views

reflected xss in the pageId request parameter in 500page.jsp

A scanner picked up that the pageId parameter in 500page.jsp is a potentially reflected xss bug. This can be exploited through a url like the following: https://example.com/pages/viewtrash.vm;editpage?pageId=%22%3E%3Cscript%3Ealert1%3C/script%3E code /images/icons/emoticons/warning.png" You can...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/10/06 5:45 p.m.61 views

FasterXML Vulnerability in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 7.17.0, 7.21.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, and 8.13.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.9AI score0.02824EPSS
Exploits2
Atlassian
Atlassian
added 2022/03/10 4:57 a.m.61 views

Tomcat versions bundled with the Crowd product are vulnerable to CVE-2021-33037

The different Tomcat versions 8.5.X bundled to the Atlassian Crowd product versions lower than Crowd 4.4.1 are vulnerable to CVE-2021-33037|https://vulners.com/cve/CVE-2021-33037 The Tomcat versions from 8.5.0 to 8.5.66 are affected by the mentioned...

5.3CVSS6AI score0.75353EPSS
Exploits1
Atlassian
Atlassian
added 2021/11/02 11:0 p.m.61 views

Unicode characters allow malicious code to be hidden from a human reviewer (Bamboo) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Bamboo where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or cod...

8.3CVSS8.3AI score0.12205EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2021/10/25 1:13 a.m.61 views

Reflected XSS /secure/admin/ImporterFinishedPage.jspa via error message - CVE-2021-41304

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affected versions are before version 8.13.12, and from...

6.1CVSS5AI score0.00848EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/10/18 4:31 a.m.61 views

Anonymous user can view names of private projects and filters via IDOR in Workload Pie Chart Gadget - CVE-2021-41307

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References IDOR vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.1...

7.5CVSS5.8AI score0.01621EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/02/26 5:0 p.m.61 views

RCE via git-lfs in Sourcetree for Windows - CVE-2021-21237

There was an argument injection vulnerability in SourceTree for Windows introduced through git-lfs. An attacker could create a malicious repository which, after being cloned in SourceTree for Windows and enabled with git-lfs, is able to exploit this issue to gain code execution on the system. Thi...

7.8CVSS4.6AI score0.00436EPSS
Exploits0
Atlassian
Atlassian
added 2021/01/25 7:2 a.m.61 views

Jira bundles a vulnerable version of atlassian-gadgets - CVE-2020-36232

The atlassian-gadgets plugin used in affected versions of Atlassian Jira Server and Data Center allows unexpected DNS lookups and requests to malicious servers via server side request forgery vulnerability. The affected versions are before version 8.5.10, from version 8.6.0 before version 8.13.2,...

5CVSS3.6AI score0.00975EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/08 3:40 a.m.61 views

Service enumeration via applinks/listEntityLinks/

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate internal services via an Information Disclosure vulnerability. The vulnerability is only exploitable if WebSudo is disabled in Jira. Affected versions: version 8.4.2 Fixed versions: 8.4.2 8.5.0...

5.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/12/03 2:58 a.m.61 views

The VerifyPopServerConnection resource was vulnerable to SSRF - CVE-2018-13404

The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from...

4.1CVSS2.5AI score0.01142EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/07/17 7:50 a.m.61 views

Various XSS through a repository or review filename - CVE-2017-9508

Various resources in Atlassian FishEye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the name of a repository or review file...

5.4CVSS3.8AI score0.00826EPSS
Exploits0
Total number of security vulnerabilities4295