Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2021/01/20 1:40 a.m.41 views

Board metadata is viewable without permissions via IDOR - CVE-2020-36231

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References IDOR vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2. ...

4.3CVSS5AI score0.012EPSS
Exploits0
Atlassian
Atlassian
added 2020/06/23 4:27 p.m.41 views

SSRF in Webhooks - CVE-2020-14170

Affected versions of Atlassian Bitbucket Server allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery SSRF vulnerability in Webhooks. When running in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that...

4.3CVSS5.7AI score0.00829EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/06/08 9:14 p.m.41 views

REST API - Deactivate the REST API

h4. Suggestion Description Confluence Server REST API|https://developer.atlassian.com/confdev/confluence-server-rest-api is active by default and there is no way to deactivate. It should have a similar option like the Enabling the Remote...

2.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/03/23 1:50 a.m.41 views

DoS through Jira Gadget API - CVE-2019-20899

The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. Affected versions: version 8.5.4 8.6.0 Fixed versions: This is fixed in versions 8.5.4, 8.6.1 and 8.7.0...

5.3CVSS5.2AI score0.02139EPSS
Exploits0
Atlassian
Atlassian
added 2019/08/12 2:48 a.m.41 views

User enumeration through the groupuserpicker api resource - CVE-2019-8449

h3. Issue summary The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability. h3. Workaround If upgrading Jira to 8.4.0 is not an option for now, then a temporary workaround consists in...

5.3CVSS5.2AI score0.84771EPSS
Exploits8
Atlassian
Atlassian
added 2019/01/23 10:43 p.m.41 views

Input validation vulnerability via Git in Sourcetree for Mac - CVE-2018-17456

There was an input validation vulnerability in Sourcetree for macOS via a Git repository with submodules. A remote attacker with permission to commit to a Git repository linked in Sourcetree for macOS is able to able to exploit this issue to gain code execution on the system. h4. Affected version...

9.8CVSS3.7AI score0.97356EPSS
Exploits12
Atlassian
Atlassian
added 2018/05/11 5:57 a.m.41 views

Denial of service through the ForgotLoginDetails resource - CVE-2018-5231

The ForgotLoginDetails resource in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to perform a denial of service attack via sending requests to it...

7.5CVSS5.2AI score0.02843EPSS
Exploits0
Atlassian
Atlassian
added 2017/12/18 2:40 a.m.41 views

XSS through the jqlQuery query parameter to the printable searchrequest issue resource - CVE-2017-14594

The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version 7.3.0 before 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the jqlQuery query parameter...

6.1CVSS5.7AI score0.01039EPSS
Exploits0
Atlassian
Atlassian
added 2017/08/30 2:12 a.m.41 views

The bundled Atlassian OAuth plugin allows arbitrary HTTP requests to be proxied - CVE-2017-9506

The version of the bundled Atlassian OAuth plugin was vulnerable to Server Side Request Forgery SSRF. This allowed a XSS and or a SSRF attack to be performed. More information about the Atlassian OAuth plugin issue see https://ecosystem.atlassian.net/browse/OAUTH-344 . When running in an...

6.1CVSS2AI score0.71601EPSS
Exploits1
Atlassian
Atlassian
added 2016/07/31 11:34 p.m.41 views

Upgrade bundled Java to 8u101+

Oracle's Critical patch update for July includes some "unspecified vulnerability", for example CVE-2016-3552 & CVE-2016-3503, fixes in the "install" component of java that may affect Confluence...

8.1CVSS2.8AI score0.00509EPSS
Exploits0
Atlassian
Atlassian
added 2016/07/07 12:32 a.m.41 views

CVE-2016-4319: /auditing/settings was vulnerable to CSRF

The /auditing/settings resource was vulnerable to CSRF|https://en.wikipedia.org/wiki/Cross-siterequestforgery attacks...

8.8CVSS1.3AI score0.00666EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/02/19 12:4 a.m.41 views

Upgrade Tomcat to the latest 8.0.x release

h3. Summary We are currently on 8.0.17 and have already been bitten by a bug in it: https://bz.apache.org/bugzilla/showbug.cgi?id=57476 We should upgrade to the latest to get the latest bugfixes. Also, there have been a number of recent CVEs involving Tomcat, most of which involve SecurityManager...

8.8CVSS7.2AI score0.1838EPSS
Exploits0
Atlassian
Atlassian
added 2014/07/17 11:20 p.m.41 views

Specify logging level to Prevent Root DEBUG from Exposing Login

h3. Summary Setting root level DEBUG can expose login information username/pw when JIRA is connected to Crowd for user management, as it outputs the REST POST contents that are transmitted through the HttpClient. h3. Environment Crowd integrated with JIRA for user management. h3. Steps to Reprodu...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/05/30 3:39 a.m.41 views

Remove url parameter support for os_username, os_password

Putting credentials in request parameters is likely to lead to those credentials being logged in access logs. h4. Workaround The following workaround is available in Jira 8.0.0 and higher versions. If you wish to prevent users from authenticating using url parameters, specifying their username &...

3.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/05/30 3:39 a.m.41 views

Remove url parameter support for os_username, os_password

Putting credentials in request parameters is likely to lead to those credentials being logged in access logs. h4. Workaround The following workaround is available in Jira 8.0.0 and higher versions. If you wish to prevent users from authenticating using url parameters, specifying their username &...

3.2AI score
Exploits0
Atlassian
Atlassian
added 2014/05/24 4:42 a.m.41 views

CVE-2013-4590 vulnerability with Tomcat 7.0.42 shipped with Crowd 2.7.2

Crowd 2.7.2 is shipped with Tomcat 7.0.42, which is susceptible to CVE-2013-4590|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4590 h3.Workaround Deploy Crowd WAR instead, with Tomcat 7.0.50 or above. Instructions here:...

4.3CVSS0.2AI score0.09487EPSS
Exploits1
Atlassian
Atlassian
added 2014/02/25 3:59 a.m.41 views

Velocity XSS in $space.name

I got the following email from Ulrich Kuhnhardt quote While we were doing some testing with XSS for the shiny new Publishing plugin we found that the velocity renderer does not escape $space.name To reproduce Create a space with name 'alert'bang'css' Create a user macro ’simple-space-name' in...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/06/26 9:6 a.m.41 views

View Content Permission Set not Complete.

The Content Permission Set returned from the method getViewContentPermissions is incomplete. It appears to only contain a single ContentPermission object regardless of how many View permisisons have been attached to a Page. 1 Create a new page 2 Assign a View restriction for 1 group 3 Assign View...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/08/07 3:37 p.m.41 views

EPIC FAIL: new user signups result in plain text email with all login details

After signing up to a JIRA instance, I got an email which simply amazed me - it contained: My username My email address My full name My password It was all there, right before me, in a plain-text unencrypted email sent across a public network. WTF?! I'm not sure which universe that's considered a...

Exploits0Affected Software1
Atlassian
Atlassian
added 2024/10/08 10:25 p.m.40 views

Bundled JRE Dependency in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.9.0, 8.19.0, and 9.2.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.4, allows an unauthenticated attacker to expose assets in your environment susceptible...

7.4CVSS6.9AI score0.01136EPSS
Exploits0
Atlassian
Atlassian
added 2024/08/22 7:11 a.m.40 views

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency in Bamboo Data Center and Server

This High severity org.apache.tomcat:tomcat-coyote Dependency vulnerability was introduced in versions 9.2.1, 9.5.0, 9.6.0, and 10.0.0-rc3 of Bamboo Data Center and Server. This org.apache.tomcat:tomcat-coyote Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.8AI score0.04602EPSS
Exploits0
Atlassian
Atlassian
added 2024/07/03 8:30 a.m.40 views

DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and Server

This High severity org.apache.commons:commons-compress Dependency vulnerability was introduced in versions 7.19.23, 8.5.10, 8.9.2 of Confluence Data Center and Server. This org.apache.commons:commons-compress Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.7AI score0.10901EPSS
Exploits0
Atlassian
Atlassian
added 2024/07/03 8:30 a.m.40 views

DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and Server

This High severity org.apache.commons:commons-compress Dependency vulnerability was introduced in versions 7.19.23, 8.5.10, 8.9.2 of Confluence Data Center and Server. This org.apache.commons:commons-compress Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.4AI score0.12697EPSS
Exploits0
Atlassian
Atlassian
added 2024/04/04 5:45 a.m.40 views

DoS (Denial of Service) software.amazon.ion:ion-java Dependency in Confluence Data Center and Server

This High severity software.amazon.ion:ion-java Dependency vulnerability was introduced in versions 5.6 of Confluence Data Center and Server. This software.amazon.ion:ion-java Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allo...

7.5CVSS7.6AI score0.0082EPSS
Exploits0
Atlassian
Atlassian
added 2024/03/06 4:53 a.m.40 views

DoS (Denial of Service) org.apache.avro:avro Dependency in Jira Software Data Center and Server

This High severity org.apache.avro:avro Dependency vulnerability was introduced in versions 8.20.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.11.0, and 9.12.0 of Jira Software Data Center and Server. This org.apache.avro:avro Dependency vulnerability, with a...

7.5CVSS7.2AI score0.01772EPSS
Exploits0
Atlassian
Atlassian
added 2024/01/17 6:46 a.m.40 views

DoS (Denial of Service) org.apache.avro:avro Dependency in Confluence Data Center and Server

This High severity org.apache.avro:avro Dependency vulnerability was introduced in versions 4.1 of Confluence Data Center and Server. This org.apache.avro:avro Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS8.6AI score0.01772EPSS
Exploits0
Atlassian
Atlassian
added 2024/01/09 5:45 a.m.40 views

Request Smuggling org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server

This High severity org.apache.tomcat.embed:tomcat-embed-core Dependency vulnerability was introduced in versions 7.21.0, 8.9.0, 8.13.0, 8.14.0, 8.15.0, and 8.16.0 of Bitbucket Data Center and Server. This org.apache.tomcat.embed:tomcat-embed-core Dependency vulnerability, with a CVSS Score of 7.5...

7.5CVSS6.7AI score0.02651EPSS
Exploits0
Atlassian
Atlassian
added 2023/12/14 2:45 p.m.40 views

RCE (Remote Code Execution) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server

This High severity org.jvnet.hudson:xstream Dependency vulnerability was introduced in versions 9.2.1 of Bamboo Data Center and Server. This org.jvnet.hudson:xstream Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H allows an...

9.3CVSS7.2AI score0.85001EPSS
Exploits7
Atlassian
Atlassian
added 2023/12/14 2:45 p.m.40 views

DoS (Denial of Service) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server

This High severity org.jvnet.hudson:xstream Dependency vulnerability was introduced in versions 9.2.1 of Bamboo Data Center and Server. This org.jvnet.hudson:xstream Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS6.8AI score0.04928EPSS
Exploits0
Atlassian
Atlassian
added 2023/12/14 7:45 a.m.41 views

Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center and Server

This High severity org.apache.tomcat:tomcat-catalina Dependency vulnerability was introduced in versions 9.2.1, 9.3.0, and 9.4.0 of Bamboo Data Center and Server. This org.apache.tomcat:tomcat-catalina Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.7AI score0.02651EPSS
Exploits0
Atlassian
Atlassian
added 2023/11/03 12:46 a.m.40 views

XSS org.apache.xmlgraphics:batik-script in Confluence Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 7.13.0 and 7.19.0 of Confluence Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an unauthenticate...

7.5CVSS7.3AI score0.0232EPSS
Exploits0
Atlassian
Atlassian
added 2023/10/06 5:45 p.m.40 views

jackson-databind Vulnerability in Bamboo Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 9.1.0, 9.2.1, and 9.3.0 of Bamboo Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS6.8AI score0.01124EPSS
Exploits1
Atlassian
Atlassian
added 2023/03/15 2:40 p.m.40 views

JavaScript Code with variable containing underscore does not work

h3. Issue Summary JavaScript Code with a variable containing an underscore does not work in Page Template HTML macro 3rd Party Plugin Script Runner h3. Steps to Reproduce Sample code block: code:java $test $test1 $"inputname='variableValues.test'".changefunction console.log$this.val;...

0.8AI score
Exploits0
Atlassian
Atlassian
added 2021/10/13 6:33 a.m.40 views

Privilege escalation leads unauthorized user to edit email batch configurations - CVE-2021-41313

Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the /secure/admin/ConfigureBatching!default.jspa endpoint. The affected versions are before version 8.20....

4.3CVSS6.8AI score0.00842EPSS
Exploits0
Atlassian
Atlassian
added 2021/09/15 1:19 a.m.40 views

Stored XSS on /secure/admin/AssociatedProjectsForCustomField.jspa - CVE-2021-41310

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the Associated Projects feature /secure/admin/AssociatedProjectsForCustomField.jspa. The affected versions are before...

6.1CVSS4.5AI score0.00692EPSS
Exploits0
Atlassian
Atlassian
added 2021/07/09 1:38 p.m.40 views

Stored XSS via Custom Fields creation on AssociateFieldToScreens page - CVE-2021-39117

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting SXSS vulnerability in the Custom Fields creation feature on the AssociateFieldToScreens page. This bug was introduced in version 8.15.0, and i...

4.8CVSS4.8AI score0.00635EPSS
Exploits0
Atlassian
Atlassian
added 2021/05/19 12:21 a.m.40 views

Reverse tabnapping via Project Shortcuts feature - CVE-2021-39112

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to redirect users to a malicious URL via a reverse tabnapping vulnerability in the Project Shortcuts feature. The affected versions are before version 8.5.15, from version 8.6.0 before 8.13.7, from version 8.14.0...

4.9CVSS5.2AI score0.0073EPSS
Exploits0
Atlassian
Atlassian
added 2021/03/17 9:41 p.m.40 views

CSRF in the SetFeatureEnabled.jspa resource - CVE-2021-26071

The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery CS...

3.5CVSS5.1AI score0.0049EPSS
Exploits0
Atlassian
Atlassian
added 2021/01/21 6:34 p.m.40 views

XSS via ViewWorkflowSchemes.jspa, ListWorkflows.jspa - CVE-2020-36236

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version...

6.1CVSS5.6AI score0.01274EPSS
Exploits0
Atlassian
Atlassian
added 2021/01/21 5:58 p.m.40 views

Pre-Authorization Limited Arbitrary File Read in Jira Server - CVE-2020-29453

The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. h3. Affected versions: version 8.5.11 8.6.0 ≤ version 8.13.3 8.14.0 ≤ versi...

5.3CVSS5.6AI score0.23086EPSS
Exploits0
Atlassian
Atlassian
added 2020/06/12 8:5 p.m.40 views

Information disclosure in Login - CVE-2020-4028

Users without session information should be pushed to the login page. Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in Login. Affected versions: version...

5.3CVSS3.2AI score0.00862EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/16 6:41 p.m.40 views

XSS in the review resource through objectives - CVE-2020-4013

The review resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting XSS vulnerability through the review objectives...

5.4CVSS5.1AI score0.00628EPSS
Exploits0
Atlassian
Atlassian
added 2019/12/10 2:3 a.m.40 views

XSS in the the review resource through the name of a missing branch - CVE-2019-15007

The review resource in Atlassian Fisheye before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the name of a missing branch...

4.8CVSS4.2AI score0.00596EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/11/12 12:11 a.m.40 views

Editing Applinks with Admin account without requiring Administrator Access (WebSudo)

h3. Issue Summary Applink can be edited without needing to log in with WebSudo access if given direct URL - $baseURL/plugins/servlet/applinks/edit/$appLink-ID User will still need to be an administrator to make this change as the page will only be accessible by an administrator as non-admin users...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/19 7:0 p.m.40 views

URL Path Traversal in Jira Service Desk Server and Jira Service Desk Data Center Allows Information Disclosure - CVE-2019-14994

A URL path traversal vulnerability in Jira Service Desk Server and Jira Service Desk Data Center allows a remote attacker with portal access to view all issues from all projects in the affected instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects...

7.5CVSS1.5AI score0.05876EPSS
Exploits1
Atlassian
Atlassian
added 2019/08/09 4:9 a.m.40 views

XSS in the MigratePriorityScheme resource - CVE-2019-11584

The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the priority icon url of an issue priority...

6.1CVSS4.3AI score0.0097EPSS
Exploits0
Atlassian
Atlassian
added 2019/07/09 2:33 a.m.40 views

Update the bundled version of OWASP AntiSamy to address issues

The bundled version of OWASP AntiSamy in Crucible before version 4.7.1 was vulnerable to CVE-2017-14735 https://nvd.nist.gov/vuln/detail/CVE-2017-14735 and CVE-2016-10006 https://nvd.nist.gov/vuln/detail/CVE-2016-10006...

6.1CVSS2.3AI score0.02039EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/01/23 7:19 p.m.41 views

Argument Injection via Mercurial hooks in Sourcetree for Windows - CVE-2018-20235

There was an argument injection vulnerability in Sourcetree for Windows via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. h4. Affected...

9CVSS3.9AI score0.06686EPSS
Exploits0
Atlassian
Atlassian
added 2018/08/28 4:38 a.m.40 views

Remote Code Execution in Sourcetree for Windows, via Mercurial repo with Git subrepo - CVE-2018-13397

There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to ga...

9CVSS5.9AI score0.02112EPSS
Exploits1
Atlassian
Atlassian
added 2017/09/21 12:10 a.m.40 views

The bundled Atlassian Activity Streams plugin had Improper Access control inside several rest inline action resource resource - CVE-2017-9506

The version of the bundled Atlassian Activity Streams plugin was vulnerable to Improper Access control. This allowed remote authenticated attackers to watch any Confluence page & receive notifications when comments are added to the watched page, and vote & watch JIRA issues that they do not have...

6.1CVSS3.8AI score0.71601EPSS
Exploits1
Total number of security vulnerabilities4295