Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2021/01/20 2:33 a.m.38 views

Anonymous User is Able to Access Query Component JQL Endpoint - CVE-2021-39127

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability BAC vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1. Affected versions:...

5.3CVSS5.4AI score0.01272EPSS
Exploits0
Atlassian
Atlassian
added 2020/11/26 5:44 a.m.38 views

Template injection vulnerability in Automation for Jira smart values - CVE-2020-14193

Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & /jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The affected versions are thos...

5.5CVSS5.7AI score0.0077EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/11/19 12:18 a.m.38 views

DoS vulnerability in MessageBundleResource - CVE-2020-14191

Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fixed...

7.5CVSS6.8AI score0.01212EPSS
Exploits0
Atlassian
Atlassian
added 2020/08/03 10:38 p.m.38 views

Regex DoS via JQL version searching - CVE-2020-14177

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service DoS vulnerability in JQL version searching. Affected versions: version 7.13.16 8.0.0 ≤ version 8.5.7 8.6.0 ≤ version 8.10.2 8.11.0 ≤ versi...

6.5CVSS6.4AI score0.02233EPSS
Exploits0
Atlassian
Atlassian
added 2020/05/29 5:18 a.m.38 views

XSS in Issue - Attachments - CVE-2020-4024

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability issue attachments with a vnd.wap.xhtml+xml content type. Affected versions: version 8.5.5 8.6.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9...

5.4CVSS5.2AI score0.00926EPSS
Exploits0
Atlassian
Atlassian
added 2020/03/24 1:25 a.m.38 views

Network enumeration via CSRF in Applinks endpoint

The Applinks endpoint in Atlassian Jira Server and Data Center in affected versions allows remote attackers to enumerate local network resources via a cross-site request forgery CSRF vulnerability. Affected versions: version 8.5.4 8.6.0 ≤ version 8.7.0 Fixed versions: 8.5.4 8.7.0...

4.7CVSS6.7AI score0.01021EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2019/12/16 10:14 p.m.38 views

Improper authorization check in the WorkflowResource class removeStatus method - CVE-2019-15013

The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a projec...

4.3CVSS6.1AI score0.0121EPSS
Exploits0
Atlassian
Atlassian
added 2019/09/26 4:19 p.m.38 views

Improper Authorization in Bambooo through ATST Plugin - CVE-2019-15005

The Atlassian Troubleshooting and Support Tools ATST plugin prior to version 1.17.2 which was used in Bamboo before version 6.10.2, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email...

4.3CVSS3.6AI score0.01334EPSS
Exploits0
Atlassian
Atlassian
added 2019/09/25 9:43 p.m.38 views

Improper Authorization in Confluence Server through ATST Plugin - CVE-2019-15005

The Atlassian Troubleshooting and Support Tools ATST plugin prior to version 1.17.2 which was bundled in Confluence Server & Confluence Data Center before version 7.0.1, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a...

4.3CVSS3.5AI score0.01334EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/12 3:26 a.m.38 views

User enumeration in the login.jsp resource - CVE-2019-8448

The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability...

5.3CVSS5.2AI score0.01809EPSS
Exploits0
Atlassian
Atlassian
added 2019/08/12 2:41 a.m.38 views

XSS in the FilterPickerPopup.jspa resource through the searchOwnerUserName parameter - CVE-2019-14996

The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the searchOwnerUserName parameter...

6.1CVSS4AI score0.01274EPSS
Exploits0
Atlassian
Atlassian
added 2019/07/09 2:43 a.m.38 views

Update Application links to ensure that a version of jackson-databind containing a fix for CVE-2018-14721 is used

The version of the Atlassian Application links plugin used in Fisheye before version 4.7.1 contained a version of jackson-databind that was vulnerable to CVE-2018-14721...

10CVSS3AI score0.10458EPSS
Exploits0
Atlassian
Atlassian
added 2019/07/08 11:7 p.m.38 views

XSS in various types of nested wiki markup - CVE-2017-18102

The bundled version of atlassian-renderer in Fisheye before version 4.7.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in nested wiki markup. For more information see https://jira.atlassian.com/browse/RNDR-153 currently restricted to...

5.4CVSS5.1AI score0.00921EPSS
Exploits0
Atlassian
Atlassian
added 2019/02/14 7:4 p.m.38 views

XSS in the listApplicationLinks resource of the Application links plugin - CVE-2018-20239

The version of the Application Links plugin used in Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the applinkStartingUrl parameter. See https://ecosystem.atlassian.net/browse/APL-1373 for more details...

5.4CVSS3.7AI score0.03401EPSS
Exploits0
Atlassian
Atlassian
added 2018/12/03 2:58 a.m.38 views

The VerifyPopServerConnection resource was vulnerable to SSRF - CVE-2018-13404

The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from...

4.1CVSS2.5AI score0.01142EPSS
Exploits0
Atlassian
Atlassian
added 2018/11/12 5:12 p.m.38 views

Security clean up /plugins/servlet/Wallboard.old 200 response

A low risk Path-Based Vulnerability exists at /plugins/servlet/Wallboard.old. Stylesheets and basic html page load for page that should not exist/deprecated...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/06/28 12:36 a.m.38 views

Path traversal Vulnerability in the review attachment resource - CVE-2017-16859

The review attachment resource in Atlassian Fisheye and Crucible before version 4.3.2, from version 4.4.0 before 4.4.3 and before version 4.5.0 allows remote attackers to read files contained within context path of the running application through a path traversal vulnerability in the command...

6.5CVSS5.1AI score0.02525EPSS
Exploits0
Atlassian
Atlassian
added 2018/03/22 5:48 a.m.38 views

XSS through header injection in the /browse/~raw resource - CVE-2018-5228

The /browse/raw resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the handling of response headers...

6.1CVSS4.4AI score0.01212EPSS
Exploits0
Atlassian
Atlassian
added 2017/07/17 7:43 a.m.38 views

XSS in review dashboard through a custom filter title - CVE-2017-9507

The review dashboard resource in Atlassian Crucible from version 4.1.0 before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the review filter title parameter...

5.4CVSS4.1AI score0.00818EPSS
Exploits0
Atlassian
Atlassian
added 2017/02/07 3:22 p.m.38 views

Service Desk mail handler create comments in other JIRA issues if subject have valid issues keys

h3. Summary Service Desk mail handler create comments in other JIRA issues if email subject have valid issues keys of issues from other JIRA Projects. h3. Environment Cloud h3. Steps to Reproduce Create a SD project Setup the mail handler Create another project and create an issue on it. Send an...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/28 4:54 a.m.38 views

Upgrade bundled Java to 8u101+

Oracle's Critical patch update for July includes some "unspecified vulnerability", for example CVE-2016-3552 & CVE-2016-3503, fixes in the "install" component of java that may affect JIRA...

8.1CVSS2.7AI score0.00509EPSS
Exploits0
Atlassian
Atlassian
added 2016/05/31 3:21 a.m.38 views

Forms that use the GET method cause the XSRF token to be added to the URL

h5.Steps to Reproduce: In Confluence, visit the "My Profile" page /users/viewuserprofile.action Click "Edit Profile" Note that no atltoken is present in the URL. Click "Settings" /users/viewmysettings.action Click "Edit" Note that the atltoken value is present in the URL. h5.Cause Some forms are...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/05/27 4:0 a.m.38 views

CVE-2016-4317: XSS on viewmyprofile.action page

The viewmyprofile.action resource was vulnerable to persistent XSS...

5.4CVSS2.2AI score0.0071EPSS
Exploits0
Atlassian
Atlassian
added 2014/07/19 3:14 p.m.38 views

REST API allows to get worklog from issue without access rights to that issue

On JIRA OnDemand v6.3-OD-08-005-WN also here! it's possible to get worklog by it's ID even if this worklog does not belong to issue passed in API url. Example: On our OnDemand instance I have access rights to . When I add worklog to this issue via REST API, I get its id . Now, when I call GET...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/10/01 10:54 a.m.38 views

Reflected cross-site scripting (XSS) in dosearchsite action

The dosearchsite action is vulnerable to reflected cross-site scripting XSS via the searchQuery.spaceKey parameter. This vulnerability appears to be very similar to issue CONF-30318 and fixes implemented in response to that issue may fix this vulnerability. If the URL below is visited by an...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/09/11 7:42 a.m.38 views

disable XSRF check property has no effect on REST API

When disable the xsrf through the property in jira.xsrf.enabled=false in jira-config.properties according to the page|https://developer.atlassian.com/display/JIRADEV/Form+Token+Handling, it doesn't stop the xsrf checking when using JIRA REST API. However, the property took effect when you try som...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/12/14 1:22 a.m.38 views

Confluence is not using the seraph logout url to define how to log out.

We need to update our use of seraph to delegate the definition of the logout url to seraph-config.xml h2. Workaround for Confluence 5.7.2 and older Find and copy /confluence/WEB-INF/lib/confluence-x.x.x.jar to a temp location with "x.x.x" representing your Confluence version number Extract the...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2025/05/07 9:54 a.m.37 views

Memory leak while accessing <base-url>label/<labelname> (label search) on objects created in io.micrometer.core.instrument.ImmutableTag

h3. Issue Summary Memory leak while accessing label/ label search on objects created in io.micrometer.core.instrument.ImmutableTag This is reproducible on the Data Center: yes h3. Steps to Reproduce Use the following script to search randomly for labels code:java while : do curl...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2025/02/14 8:12 a.m.37 views

RCE (Remote Code Execution) org.apache.tomcat:tomcat-catalina Dependency in Confluence Data Center and Server

This Critical severity org.apache.tomcat:tomcat-catalina Dependency vulnerability was introduced in version 6.10 of Confluence Data Center and Server. This org.apache.tomcat:tomcat-catalina Dependency vulnerability, with a CVSS Score of 9.8 and a CVSS Vector of...

9.8CVSS7.5AI score0.43663EPSS
Exploits13
Atlassian
Atlassian
added 2024/08/14 12:24 a.m.37 views

DoS (Denial of Service) org.clojure:clojure Dependency in Confluence Data Center and Server

This High severity org.clojure:clojure Dependency vulnerability was introduced in versions 6.0.0 of Confluence Data Center and Server. This org.clojure:clojure Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS6.7AI score0.01533EPSS
Exploits1
Atlassian
Atlassian
added 2024/01/17 6:46 a.m.37 views

DoS (Denial of Service) ch.qos.logback:logback-classic Dependency in Confluence Data Center and Server

This High severity ch.qos.logback:logback-classic Dependency vulnerability was introduced in versions 6.0.1 of Confluence Data Center and Server. This ch.qos.logback:logback-classic Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:...

7.5CVSS7.1AI score0.00682EPSS
Exploits0
Atlassian
Atlassian
added 2024/01/15 6:52 a.m.37 views

RCE (Remote Code Execution) in Confluence Data Center and Server

This High severity Remote Code Execution RCE vulnerability was introduced in version 2.1 of Confluence Data Center and Server. Remote Code Execution RCE vulnerability, with a CVSS Score of 8.3 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H allows an unauthenticated attacker to...

8.8CVSS7.8AI score0.01363EPSS
Exploits0
Atlassian
Atlassian
added 2024/01/09 5:45 a.m.37 views

DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server

This High severity ch.qos.logback:logback-core Dependency vulnerability was introduced in versions 7.21.0, 8.9.0, 8.13.0, 8.14.0, 8.15.0, and 8.16.0 of Bitbucket Data Center and Server. This ch.qos.logback:logback-core Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.7AI score0.009EPSS
Exploits0
Atlassian
Atlassian
added 2023/12/14 2:45 p.m.37 views

Info Disclosure org.codehaus.plexus:plexus-utils Dependency in Bamboo Data Center and Server

This High severity org.codehaus.plexus:plexus-utils Dependency vulnerability was introduced in versions 9.2.1 of Bamboo Data Center and Server. This org.codehaus.plexus:plexus-utils Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:...

7.5CVSS6.6AI score0.01347EPSS
Exploits0
Atlassian
Atlassian
added 2023/12/14 2:45 p.m.37 views

RCE (Remote Code Execution) com.h2database:h2 Dependency in Bamboo Data Center and Server

This High severity com.h2database:h2 Dependency vulnerability was introduced in versions 9.1.0, 9.2.1, 9.3.0, and 9.4.0 of Bamboo Data Center and Server. This com.h2database:h2 Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H...

8.8CVSS7.8AI score0.34986EPSS
Exploits2
Atlassian
Atlassian
added 2023/11/22 2:44 a.m.37 views

DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml Vulnerability in Jira Service Management Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 4.20.0, 5.4.0, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0 of Jira Service Management Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS8.4AI score0.02114EPSS
Exploits0
Atlassian
Atlassian
added 2023/10/30 2:10 p.m.37 views

Help links not using security attributes

h3. Issue Summary Links to documentation use the anchor tag attribute target="blank" without using rel="noopener noreferrer". Best practice is to include rel="noopener noreferrer" on any link opened with target="blank" We've had some customers report that this is triggering automated security...

7.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/07/15 6:15 a.m.37 views

Anonymous users can access the /rest/whitelist/<version>/check resource - CVE-2019-20101

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view whitelist rules via a Broken Access Control vulnerability in the /rest/whitelist//check endpoint. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1. Affected...

5.3CVSS5.3AI score0.01331EPSS
Exploits0
Atlassian
Atlassian
added 2021/07/08 1:49 a.m.37 views

An admin can downgrade or remove a group with sys admin privilege

This vulnerability affects certain versions of Atlassian Dev Tools. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent...

5.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/07/02 12:39 a.m.37 views

Cached content persisting after disabling anonymous access for allowlist URLs - CVE-2021-39113

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version...

7.5CVSS7.1AI score0.01809EPSS
Exploits0
Atlassian
Atlassian
added 2020/11/26 5:44 a.m.37 views

Template injection vulnerability in Automation for Jira smart values - CVE-2020-14193

Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & /jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The affected versions are thos...

5.5CVSS5.7AI score0.0077EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/16 7:26 p.m.37 views

Security misconfiguration in the /json/fe/activeUserFinder.do resource - CVE-2020-4015

The /json/fe/activeUserFinder.do resource in Altassian Fisheye and Crucible before version 4.8.1 allows remote attackers to view user user email addresses via a security misconfiguration...

4.3CVSS5AI score0.0096EPSS
Exploits0
Atlassian
Atlassian
added 2020/01/14 9:36 p.m.37 views

SSRF when adding Jira server in admin plugin

h2. Please be aware that Atlassian does not consider this issue to represent a security risk as the functionality is restricted to users with administrative rights. h3. Issue Summary When adding a Jira server in Bamboo under the "User directories" module, an attacker can put any value in the...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/10/11 3:21 a.m.37 views

Authorization bypass allows information disclosure - CVE-2019-15003

h3. Authorization bypass allows information disclosure - CVE-2019-15003 h4. Severity Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels|https://www.atlassian.com/security/security-severity-levels. The scale allow...

7.5CVSS1.7AI score0.03907EPSS
Exploits0
Atlassian
Atlassian
added 2019/10/11 3:12 a.m.37 views

URL path traversal allows information disclosure - CVE-2019-15004

URL path traversal allows information disclosure - CVE-2019-15004 Severity Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is...

7.5CVSS1.4AI score0.03907EPSS
Exploits0
Atlassian
Atlassian
added 2019/09/26 4:6 p.m.37 views

Improper Authorization in Crowd through ATST Plugin - CVE-2019-15005

The Atlassian Troubleshooting and Support Tools ATST plugin prior to version 1.17.2 which was used in Crowd & Crowd Data Center before version 3.6.0, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization...

4.3CVSS3.9AI score0.01334EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/09/09 1:22 a.m.37 views

Template injection in Jira importers plugin - CVE-2019-15001

h3. Issue Summary There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin JIM. An attacker with "JIRA Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on...

9CVSS3AI score0.11366EPSS
Exploits0
Atlassian
Atlassian
added 2019/08/09 3:27 a.m.37 views

Missing permission check in several worklog rest resources - CVE-2019-8445

Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check...

5.3CVSS5.3AI score0.02711EPSS
Exploits0
Atlassian
Atlassian
added 2019/07/09 2:28 a.m.37 views

Update the bundled version of OWASP AntiSamy to address issues

The bundled version of OWASP AntiSamy in Fisheye before version 4.7.1 was vulnerable to CVE-2017-14735 https://nvd.nist.gov/vuln/detail/CVE-2017-14735 and CVE-2016-10006 https://nvd.nist.gov/vuln/detail/CVE-2016-10006...

1.9AI score
Exploits0
Atlassian
Atlassian
added 2019/05/28 6:58 p.m.37 views

Remote code execution vulnerability for Sourcetree for Windows - CVE-2019-11582

There was an argument injection vulnerability in SourceTree for Windows in URI handlers. A remote, unauthenticated attacker was required to convince a user to interact with a crafted URL in order to exploit the vulnerability. With user interaction, an attacker could gained remote code execution o...

9.3CVSS4.6AI score0.04936EPSS
Exploits0
Total number of security vulnerabilities4295