Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2019/09/09 1:22 a.m.37 views

Template injection in Jira importers plugin - CVE-2019-15001

h3. Issue Summary There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin JIM. An attacker with "JIRA Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on...

9CVSS3AI score0.11366EPSS
Exploits0
Atlassian
Atlassian
added 2019/08/09 3:27 a.m.37 views

Missing permission check in several worklog rest resources - CVE-2019-8445

Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check...

5.3CVSS5.3AI score0.02711EPSS
Exploits0
Atlassian
Atlassian
added 2019/07/09 2:28 a.m.37 views

Update the bundled version of OWASP AntiSamy to address issues

The bundled version of OWASP AntiSamy in Fisheye before version 4.7.1 was vulnerable to CVE-2017-14735 https://nvd.nist.gov/vuln/detail/CVE-2017-14735 and CVE-2016-10006 https://nvd.nist.gov/vuln/detail/CVE-2016-10006...

1.9AI score
Exploits0
Atlassian
Atlassian
added 2019/05/28 6:58 p.m.37 views

Remote code execution vulnerability for Sourcetree for Windows - CVE-2019-11582

There was an argument injection vulnerability in SourceTree for Windows in URI handlers. A remote, unauthenticated attacker was required to convince a user to interact with a crafted URL in order to exploit the vulnerability. With user interaction, an attacker could gained remote code execution o...

9.3CVSS4.6AI score0.04936EPSS
Exploits0
Atlassian
Atlassian
added 2019/04/30 2:30 a.m.37 views

XSS in the listApplicationLinks resource of the Application links plugin - CVE-2018-20239

The version of the Application Links plugin used in Confluence before version 6.15.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the applinkStartingUrl parameter. See https://ecosystem.atlassian.net/browse/APL-1373 for more detail...

5.4CVSS3.4AI score0.03401EPSS
Exploits0
Atlassian
Atlassian
added 2016/07/07 12:32 a.m.37 views

CVE-2016-4319: /auditing/settings was vulnerable to CSRF

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-61803. panel The /auditing/settings resource was vulnerable to CSRF|https://en.wikipedia.org/wiki/Cross-siterequestforgery attacks...

8.8CVSS1.8AI score0.00666EPSS
Exploits0
Atlassian
Atlassian
added 2015/07/02 3:27 a.m.37 views

xss by swf file

In confluence comment module user can embed swf file in their comment, confluence are using a atltoken parameter on GET HTTP request, if the attacker send the link of .swf file the value of src on embed tag to his victim the malicious .SWF won't execute on the victim's browser . We can bypass thi...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/05/22 7:38 p.m.37 views

Patch for Security advisory 2014-05-21 doesn't work in Confluence 3.5.X

h3. Steps to reproduce: Confluence 3.5.13 Installed, booted up Postregres DB Shutdown, applied patch following advisory admin panel not accessible content appears to be missing see errors in the logs: code 2014-05-22 16:28:50,308 ERROR http-8080-1 Standalone.localhost./.action log Servlet.service...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/10/24 12:58 a.m.37 views

Persistent XSS in JIRA charting plugin Workload Pie Chart Report

The Workload Pie Chart Report included with the JIRA charting plugin contains a number of XSS vulnerabilities. This plugin is bundled with OnDemand. The configuration page contains an XSS vulnerability in custom field names. 1. Create a custom field with the name alert'custom field' 2. Try to...

6.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/04/26 4:54 p.m.37 views

'/users/userpicker.action' exposes users loginids and full names in instance with anonymous access enabled

quote LDAP directory users and groups exposed via the /users/userpicker.action. There should be an option to restrict this to authenticated users only and perhaps this should be the default behavior. quote quote The second exposed function that is part of this vulnerability is...

3.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/03/30 3:47 a.m.37 views

XML Vulnerability in JIRA

We have identified and fixed a vulnerability in JIRA that results from the way third-party XML parsers are used in JIRA. This vulnerability allows an attacker who is an authenticated JIRA user to execute denial of service attacks against the JIRA server. All versions of JIRA up to and including...

3.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/10/19 5:42 p.m.37 views

Secure Section Macro

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-23637. panel This is a suggestion to create a new Macro/Plugin that worked similar to the Column Macro with the major differenc...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/04/06 5:41 p.m.37 views

Seraph in Confluence 3.5 environment no longer able to instantiate custom authenticator

Customer using custom authenticator no longer works in Confluence 3.5 despite updates to latest API, latest Atlassian SDK, and building against Confluence 3.5 and embedded Crowd. See attached error log from customer. In brief, error is: noformat Caused by:...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/08/18 1:18 a.m.37 views

XSS vulnerability can be exploited with the pagetree macro

Use the following markup: noformatpagetree:root=alert'12'noformat Whenever the page is viewed, the script will be executed...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/04/24 5:54 a.m.37 views

Implement login using google Authentication

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-14866. panel We are a small company , and we are using Google for mail , calender etc ... For now we are using open ldap to authenticate use...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2025/04/09 12:12 p.m.36 views

DoS (Denial of Service) com.thoughtworks.xstream:xstream Dependency in Confluence Data Center and Server

This High severity com.thoughtworks.xstream:xstream Dependency vulnerability was introduced in versions 2.2 of Confluence Data Center and Server. This com.thoughtworks.xstream:xstream Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.6AI score0.02015EPSS
Exploits0
Atlassian
Atlassian
added 2024/09/17 8:16 a.m.36 views

Successful user login events using PAT does not update last login date and are not added to the audit logs

h3. Issue Summary When users authenticate on Confluence, this information should be update last login date as well as add as new events on the audit log when full coverage is enabled for the Security category. Requests made with personal access tokens PAT for REST API won't create a new entry on...

6.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/07/11 12:1 a.m.36 views

Third-Party Dependency in Confluence Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 7.0.1 of Confluence Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.4, allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation...

7.5CVSS4.5AI score0.014EPSS
Exploits0
Atlassian
Atlassian
added 2024/07/03 8:30 a.m.36 views

DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and Server

This High severity org.apache.commons:commons-compress Dependency vulnerability was introduced in versions 7.19.23, 8.5.10, 8.9.2 of Confluence Data Center and Server. This org.apache.commons:commons-compress Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.7AI score0.11879EPSS
Exploits0
Atlassian
Atlassian
added 2024/04/25 5:10 p.m.36 views

DoS (Denial of Service) org.apache.struts:struts2-core Dependency in Crowd Data Center and Server

This High severity org.apache.struts:struts2-core Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.0 of Crowd Data Center and Server. This org.apache.struts:struts2-core Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.2AI score0.05467EPSS
Exploits0
Atlassian
Atlassian
added 2024/04/09 1:53 a.m.36 views

Information Disclosure org.eclipse.jetty:jetty-util Dependency in Crowd Data Center and Server

This High severity org.eclipse.jetty:jetty-util Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.0 of Crowd Data Center and Server. This org.eclipse.jetty:jetty-util Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.2AI score0.05795EPSS
Exploits0
Atlassian
Atlassian
added 2024/04/09 1:50 a.m.36 views

Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and Server

This High severity com.fasterxml.jackson.core:jackson-databind Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.0 of Crowd Data Center and Server. This com.fasterxml.jackson.core:jackson-databind Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of...

8.8CVSS6.5AI score0.03473EPSS
Exploits0
Atlassian
Atlassian
added 2023/11/03 12:45 a.m.36 views

DoS (Denial of Service) org.apache.tomcat:tomcat-catalina in Confluence Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 7.19.1, 8.3.0, 8.4.0, 8.5.0, and 8.6.0 of Confluence Data Center and Server. This DoS Dependency vulnerability only impacts Windows instances, with a CVSS Score of 7.5 and a CVSS Vector of...

5.9CVSS7.1AI score0.01854EPSS
Exploits0
Atlassian
Atlassian
added 2023/10/17 12:2 p.m.36 views

RCE (Remote Code Execution) in Bamboo Data Center and Server

This High severity RCE Remote Code Execution vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0, and 9.3.0 of Bamboo Data Center and Server. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code...

8.8CVSS8AI score0.01223EPSS
Exploits0
Atlassian
Atlassian
added 2023/10/09 1:44 a.m.36 views

jackson-databind Vulnerability in Jira Service Management Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in version 4.20.0 of Jira Service Management Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticat...

7.5CVSS6.8AI score0.01124EPSS
Exploits1
Atlassian
Atlassian
added 2022/08/25 5:48 p.m.36 views

Granting the 'Browse Project Archive' permission to a 'Custom Field' within a permission scheme allows all users to see archived issues in result set

h3. Issue Summary If within a project the 'Browse Project Archive' and 'Browse Project' permissions are granted to 'Group Custom Field' or to the 'Reporter' option within the permission scheme, the project will become available to search for any user with the 'Browse Project Archive' permission i...

6.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/05/17 9:43 a.m.36 views

IDOR (Insecure direct object references) in Jira 8.13.10

We have found during testing that by sending a fake header with a domain name supplying as a suffix i.e. attack.eu into the Host header field, the web server processes the input to send the request to an attacker-controlled host that resides at the supplied domain, and not to an internal virtual...

4.3CVSS5AI score0.01215EPSS
Exploits0
Atlassian
Atlassian
added 2021/09/21 3:3 a.m.36 views

Jira Service Management / Insight Asset Management vulnerable to RCE Security

Description Insight - Asset Management has a feature to import data from several databases DBs. One of these DBs, the H2 DB, has a native function in its library which an attacker can use to run code on the server remote code execution a.k.a. RCE. The H2 DB is bundled with Jira to help speed up...

8.8CVSS1.1AI score0.34986EPSS
Exploits2
Atlassian
Atlassian
added 2021/09/15 1:19 a.m.36 views

Stored XSS on /secure/admin/AssociatedProjectsForCustomField.jspa - CVE-2021-41310

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the Associated Projects feature /secure/admin/AssociatedProjectsForCustomField.jspa. The affected versions are before...

6.1CVSS4.5AI score0.00692EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/08/18 1:0 a.m.36 views

Self-xss via copying content from a PDF - CVE-2021-39111

The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the handling of supplied content such a...

6.1CVSS5.5AI score0.00978EPSS
Exploits0
Atlassian
Atlassian
added 2021/01/21 1:53 a.m.36 views

Username enumeration via password reset page - CVE-2021-39125

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to discover the usernames of users via an enumeration vulnerability in the password reset page. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1. Affected versions:...

5.3CVSS5.5AI score0.01356EPSS
Exploits0
Atlassian
Atlassian
added 2020/10/28 5:50 p.m.36 views

Local file disclosure / path traversal within WEB-INF in Crucible - CVE-2020-29446

Affected versions of Atlassian Dev Tools allow remote attackers to browse local files via an Insecure Direct Object References IDOR vulnerability in WEB-INF in Fisheye/Crucible. The affected versions are before version 4.8.5. Affected versions: version 4.8.5 Fixed versions: 4.8.5 4.9.0...

5.3CVSS5.8AI score0.01144EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/07/09 5:35 a.m.36 views

IDOR Disclosure of Private Project Titles - CVE-2020-14174

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References IDOR vulnerability in the Administration Permission Helper. Affected versions: version 7.13.16 8.0.0 ≤ version 8.5.7 8.6.0 ≤ version 8.9.2...

4.3CVSS5AI score0.01215EPSS
Exploits0
Atlassian
Atlassian
added 2020/07/01 6:16 p.m.36 views

Information disclosure in API and Integrations - CVE-2020-14180

Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. Affected versions:...

4.3CVSS5.8AI score0.00848EPSS
Exploits0
Atlassian
Atlassian
added 2020/06/19 4:5 a.m.36 views

XSS in Navigation - Search - CVE-2020-14169

The quick search component in Atlassian Jira Server and Data Center allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability. Affected versions: version 8.9.1 Fixed versions: 8.9.1 8.10.0...

6.1CVSS6AI score0.00765EPSS
Exploits0
Atlassian
Atlassian
added 2020/05/29 5:19 a.m.36 views

XSS in Issue - Attachments - CVE-2020-4025

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability issue attachments with a rdf content type. Affected versions: version 8.5.5 8.6.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9.1 Fixed...

4.8CVSS5.1AI score0.00918EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/21 10:27 p.m.36 views

Template injection in Web Resources Manager - CVE-2020-14172

This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.1 allowed remote attackers to achieve remo...

9.8CVSS5.1AI score0.02505EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/16 7:46 p.m.36 views

Information disclosure in the /rest/jira-ril/1.0/jira-rest/applinks resource in the crucible-jira-ril plugin - CVE-2020-4017

The /rest/jira-ril/1.0/jira-rest/applinks resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to get information about any configured Jira application links via an information disclosure vulnerability...

5.3CVSS5.2AI score0.01245EPSS
Exploits0
Atlassian
Atlassian
added 2020/02/05 4:3 p.m.36 views

CSRF in VerifyPopServerConnection!add.jspa - CVE-2019-20099

The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery CSRF. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerat...

4.3CVSS5AI score0.00743EPSS
Exploits1
Atlassian
Atlassian
added 2019/09/25 9:43 p.m.36 views

Improper Authorization in Confluence Server through ATST Plugin - CVE-2019-15005

The Atlassian Troubleshooting and Support Tools ATST plugin prior to version 1.17.2 which was bundled in Confluence Server & Confluence Data Center before version 7.0.1, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a...

4.3CVSS3.5AI score0.01334EPSS
Exploits0
Atlassian
Atlassian
added 2019/08/19 8:17 p.m.36 views

Local File Disclosure via Word Export in Confluence Server - CVE-2019-3394

Confluence Server and Data Center had a local file disclosure vulnerability in the page export function. A remote attacker who has Add Page space permission would be able to read arbitrary files in the /confluence/WEB-INF/ directory and it's subdirectories, which may contain configuration files...

8.8CVSS2.6AI score0.11406EPSS
Exploits1
Atlassian
Atlassian
added 2019/08/12 2:47 a.m.36 views

XSS in various templates of the Optimization plugin - CVE-2019-8450

Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the name of a custom...

4.8CVSS5AI score0.00879EPSS
Exploits0
Atlassian
Atlassian
added 2019/08/09 3:30 a.m.36 views

XSS in the wikirenderer component - CVE-2019-8444

The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in image attribute specification...

5.4CVSS5.2AI score0.0092EPSS
Exploits0
Atlassian
Atlassian
added 2019/08/09 3:23 a.m.36 views

User enumeration through the issueTable resource - CVE-2019-8446

The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check...

5.3CVSS5.6AI score0.1755EPSS
Exploits1
Atlassian
Atlassian
added 2019/08/06 3:4 p.m.36 views

Bitbucket sends email notifications to unlicensed users for pushed commits in a repository

h3. Issue Summary An unlicensed user will continue to receive email notifications for pushed commits for repositories that the user was watching and receiving notifications when active. h3. Steps to Reproduce User1 enables email repository email notifications to be sent immediately User1 watches...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/07/09 2:33 a.m.36 views

Update the bundled version of OWASP AntiSamy to address issues

The bundled version of OWASP AntiSamy in Crucible before version 4.7.1 was vulnerable to CVE-2017-14735 https://nvd.nist.gov/vuln/detail/CVE-2017-14735 and CVE-2016-10006 https://nvd.nist.gov/vuln/detail/CVE-2016-10006...

2.3AI score
Exploits0
Atlassian
Atlassian
added 2019/05/09 2:50 p.m.36 views

Ability to have the Websudo functionality working with SAML / SSO

h3. Problem Definition When implementing SAML either through JDC or through a vendor plugin, the net result is you have to turn off websudo because you can't get websudo and SAML to work. The effect is you can go straight into administration functions without confirmation that you should. This...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/04/29 3:27 a.m.36 views

Permissions bypass in the inline-create rest resource - CVE-2018-20826

The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check...

4.3CVSS5.6AI score0.00847EPSS
Exploits1
Atlassian
Atlassian
added 2019/01/23 5:29 p.m.36 views

Argument Injection via Mercurial hooks in Sourcetree for macOS - CVE-2018-20234

There was an argument injection vulnerability in Sourcetree for macOS via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. Affected versions:...

9CVSS3AI score0.05912EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/08/10 3:58 a.m.36 views

Issue reporter and assignee user email addresses were disclosed regardless of the email visibility setting - CVE-2018-13391

The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote...

5.3CVSS2.3AI score0.01796EPSS
Exploits0
Total number of security vulnerabilities4295