Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2019/09/03 6:28 p.m.36 views

Clicking on <agent> of a build result reveals details of all run builds, not only for the ones for which a non-Admin user has View permission

h3. Issue Summary h3. Environment This issue is approved to happen for Bamboo version 6.7.2 and 6.9.1, likely it happens for all Bamboo versions. h3. Steps to Reproduce Define a non-Admin user a Bamboo admin should already exist via installation Provide global, project and plan permissions,...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/12 2:47 a.m.36 views

XSS in various templates of the Optimization plugin - CVE-2019-8450

Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the name of a custom...

4.8CVSS5AI score0.00879EPSS
Exploits0
Atlassian
Atlassian
added 2019/08/09 3:30 a.m.36 views

XSS in the wikirenderer component - CVE-2019-8444

The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in image attribute specification...

5.4CVSS5.2AI score0.0092EPSS
Exploits0
Atlassian
Atlassian
added 2019/08/09 3:23 a.m.36 views

User enumeration through the issueTable resource - CVE-2019-8446

The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check...

5.3CVSS5.6AI score0.1755EPSS
Exploits1
Atlassian
Atlassian
added 2019/08/06 3:4 p.m.36 views

Bitbucket sends email notifications to unlicensed users for pushed commits in a repository

h3. Issue Summary An unlicensed user will continue to receive email notifications for pushed commits for repositories that the user was watching and receiving notifications when active. h3. Steps to Reproduce User1 enables email repository email notifications to be sent immediately User1 watches...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/05/09 2:50 p.m.36 views

Ability to have the Websudo functionality working with SAML / SSO

h3. Problem Definition When implementing SAML either through JDC or through a vendor plugin, the net result is you have to turn off websudo because you can't get websudo and SAML to work. The effect is you can go straight into administration functions without confirmation that you should. This...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/04/29 3:27 a.m.36 views

Permissions bypass in the inline-create rest resource - CVE-2018-20826

The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check...

4.3CVSS5.6AI score0.00847EPSS
Exploits1
Atlassian
Atlassian
added 2019/01/23 5:29 p.m.36 views

Argument Injection via Mercurial hooks in Sourcetree for macOS - CVE-2018-20234

There was an argument injection vulnerability in Sourcetree for macOS via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. Affected versions:...

9CVSS3AI score0.05912EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/08/10 3:58 a.m.36 views

Issue reporter and assignee user email addresses were disclosed regardless of the email visibility setting - CVE-2018-13391

The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote...

5.3CVSS2.3AI score0.01796EPSS
Exploits0
Atlassian
Atlassian
added 2018/02/05 4:40 p.m.36 views

Nested groups with uppercase letters cannot be removed from Confluence, after having been synced initially

h3. Summary Nested groups with uppercase letters cannot be removed from Confluence, after having been synced initially. If you synchronize nested groups with upper case letters into Confluence from Crowd / LDAP, and then update the external directory to remove the child groups, the groups will no...

6.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/01/12 4:33 a.m.36 views

XSS through the orderby parameter in the issue search resource - CVE-2017-16864

The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the orderby parameter...

6.1CVSS5.7AI score0.01165EPSS
Exploits0
Atlassian
Atlassian
added 2017/10/23 12:40 p.m.36 views

XSS Vulnerability in JIRA Issue Export

A search endpoint is vulnerable to an XSS injection in certain cases. Normally, the browser will urlencode its requests, but some proxy servers and load balancers will decode URL data by default. see http://stackoverflow.com/questions/31266629/nginx-encoding-normalizing-part-of-uri...

6.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/09/12 6:53 a.m.36 views

CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

The Confluence HipChat plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your Confluence instance you must have a HipChat integration established. To exploit this issue, attackers need to have access to a Confluen...

7.5CVSS0.9AI score0.03743EPSS
Exploits0
Atlassian
Atlassian
added 2016/09/12 6:27 a.m.36 views

CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

The HipChat for JIRA plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your JIRA instance you must have a HipChat integration established. To exploit this issue in JIRA versions 7.0.0 and higher, attackers need to...

7.5CVSS1AI score0.03743EPSS
Exploits0
Atlassian
Atlassian
added 2015/06/01 6:42 p.m.36 views

Advanced JQL Search does not Respect User email visibility Hidden

h4. Problem The advanced JQL autocomplete functionality is still showing email addresses, ignoring the User email visibility option. Basic mode does not show emails See screenshots h4. Steps to Reproduce Set User email visibility to Hidden JIRA Administration System General Configuration Edit Use...

Exploits0Affected Software1
Atlassian
Atlassian
added 2014/02/10 5:56 a.m.36 views

Security vulnerability in apache commons fileupload

Apache commons-fileupload 1.3.1 was released this weekend with a fix for CVE-2014-0050, involving a DoS attack when using specially crafted multipart requests. We need to determine if Confluence is vulnerable, and if so, upgrade to this version of the library...

7.5CVSS7.5AI score0.83175EPSS
Exploits8
Atlassian
Atlassian
added 2013/08/22 4:55 a.m.36 views

Make custom field description and options rendering consistent for OnDemand and BTF

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-34440. panel JIRA has different behaviour for how it renders custom field descriptions and options depending on if it's running BTF or on...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/07/17 12:10 a.m.36 views

Able to create a repository from Source Tree on a Stash project on which i do not have 'admin' access

Able to create a repository from Source Tree on a Stash project on which i do not have 'admin' access. On Stash, only admin access will have option to create repositories, however Source Tree allows users to create repository on a Stash project where users have only 'write' access. This is a majo...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/06/18 10:44 p.m.36 views

Parsing of external XML entities can be exploited to retrieve files or make HTTP requests on the target network

h3. Description This issue has been assigned CVE-2013-3925 by Mitre Corporation. Previously reported issue CVE-2012-2926 August 2012, CVSS score 6.4 was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing. The n...

5.8CVSS0.1AI score0.01758EPSS
Exploits1
Atlassian
Atlassian
added 2013/04/04 10:48 a.m.36 views

Editing "Global Templates" possible without admin login

If you are logged in to the admin panel you get the following line: quoteYou have temporary access to administrative functions. Drop access if you no longer require it. For more information, refer to the documentation.quote Pressing "Drop access" redirects you to the normal Wiki page, away from t...

7AI score
Exploits0
Atlassian
Atlassian
added 2012/11/05 2:56 a.m.36 views

On Windows, Fisheye attempts to make ssh keys private but appears to be unsucessful

While testing FE-4315 on Windows, I noticed that even when generating a private key using Fisheye, the files permissions do not appear to actually change. The code to make the file private is this, in FileSystemUtils: code if SystemUtils.ISOSWINDOWS String username = System.getenv"USERNAME"; Stri...

7.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/02/06 8:21 p.m.36 views

Comment field on GH cards do not respect the comment visibility.

If you add the Comment field on any Issue Views on GH the field shows the latest comment but it doesn't inherit the comment visibility from Jira. This misbehaviour happens on Planning board and Task board with any GH views Summaries, Cards and Lists. Steps to Reproduce: Add the comment field to a...

0.5AI score
Exploits0
Atlassian
Atlassian
added 2011/09/07 10:10 p.m.37 views

View PDF Macro in Office Connector makes http fetch from Adobe from https session

The View PDF macro within the Office Connector plugin provides the following http URL even for https sessions when a user's browser fails the Flash installed test. http://www.adobe.com/images/shared/downloadbuttons/getflashplayer.gif It's bad form to mix http urls in with secured https sessions a...

6.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/07/27 11:58 p.m.36 views

Password History Count does not work for ATLASSIAN-SECURITY directories

Testing this locally on Crowd 227, I set the password history count to 1, then tried resetting my password through the interface and through 'Forgot Password' e-mail link, but was able to consistent use old passwords. I also expired the password, forcing a password change, but that also let me...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/19 12:57 a.m.36 views

Brute force protection on JIRA 4.1 leaks valid account names

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-21036. panel The brute force login protection in JIRA only activates when a real user account is accessed. This can be used by an attacker t...

1.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/11 9:53 a.m.36 views

UnsupportedOperationException with hasPermissionToCreate when called with DocumentIssueImpl

Extending the SearchRequestPortlet for Kaamelot Portlet, I use WorklogService.hasPermissionToCreateJiraServiceContext jiraServiceContext, Issue issue . As SearchRequestPortlet provides through its SearchProvider a list of Issue based on class DocumentIssueImpl, the hasPermissionToCreate fails wit...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/04/18 4:29 p.m.35 views

Information Disclosure in Confluence Data Center

This High severity Information Disclosure vulnerability was introduced in versions 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This Information Disclosure vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.8AI score0.00447EPSS
Exploits0
Atlassian
Atlassian
added 2024/11/06 6:11 a.m.35 views

Path Traversal org.springframework:spring-webmvc Dependency in Confluence Data Center and Server

This High severity org.springframework:spring-webmvc Dependency vulnerability was introduced in versions 3.0 of Confluence Data Center and Server. This org.springframework:spring-webmvc Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.1AI score0.14718EPSS
Exploits1
Atlassian
Atlassian
added 2024/10/10 8:18 p.m.35 views

Stored XSS in Confluence Data Center and Server

This High severity Stored XSS vulnerability was introduced in version 3.0 of Confluence Data Center and Server. This Stored XSS vulnerability, with a CVSS Score of 8.1, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to...

8.8CVSS9.1AI score0.72648EPSS
Exploits15
Atlassian
Atlassian
added 2024/08/14 7:10 a.m.35 views

DoS (Denial of Service) org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server

This High severity org.apache.tomcat.embed:tomcat-embed-core Dependency vulnerability was introduced in versions 8.9.0 and 8.19.0 of Bitbucket Data Center and Server. This org.apache.tomcat.embed:tomcat-embed-core Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.6AI score0.04602EPSS
Exploits0
Atlassian
Atlassian
added 2024/07/11 12:17 a.m.35 views

DoS (Denial of Service) com.thoughtworks.xstream:xstream Dependency in Jira Service Management Data Center and Server

This High severity com.thoughtworks.xstream:xstream Dependency vulnerability was introduced in versions 5.4.0 of Jira Service Management Data Center and Server. This com.thoughtworks.xstream:xstream Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

8.2CVSS7.5AI score0.08689EPSS
Exploits1
Atlassian
Atlassian
added 2024/07/03 8:30 a.m.35 views

DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and Server

This High severity org.apache.commons:commons-compress Dependency vulnerability was introduced in versions 7.19.23, 8.5.10, 8.9.2 of Confluence Data Center and Server. This org.apache.commons:commons-compress Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.6AI score0.16157EPSS
Exploits0
Atlassian
Atlassian
added 2024/06/12 9:13 p.m.35 views

DoS (Denial of Service) org.apache.commons:commons-configuration2 Dependency in Confluence Data Center and Server

This High severity org.apache.commons:commons-configuration2 Dependency vulnerability was introduced in versions 1.0 of Confluence Data Center and Server. This org.apache.commons:commons-configuration2 Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

5.4CVSS7.1AI score0.01727EPSS
Exploits0
Atlassian
Atlassian
added 2024/06/12 9:12 p.m.35 views

DoS (Denial of Service) org.apache.commons:commons-configuration2 Dependency in Confluence Data Center and Server

This High severity org.apache.commons:commons-configuration2 Dependency vulnerability was introduced in versions 1.0 of Confluence Data Center and Server. This org.apache.commons:commons-configuration2 Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.3CVSS7.1AI score0.02054EPSS
Exploits0
Atlassian
Atlassian
added 2024/04/25 5:10 p.m.35 views

DoS (Denial of Service) org.apache.struts:struts2-core Dependency in Crowd Data Center and Server

This High severity org.apache.struts:struts2-core Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.0 of Crowd Data Center and Server. This org.apache.struts:struts2-core Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.1AI score0.06286EPSS
Exploits0
Atlassian
Atlassian
added 2024/04/09 1:54 a.m.35 views

DoS (Denial of Service) com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and Server

This High severity com.fasterxml.jackson.core:jackson-databind Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.3 of Crowd Data Center and Server. This com.fasterxml.jackson.core:jackson-databind Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.1AI score0.02824EPSS
Exploits2
Atlassian
Atlassian
added 2023/12/14 7:45 a.m.35 views

DoS (Denial of Service) org.json:json Dependency in Bamboo Data Center and Server

This High severity org.json:json Dependency vulnerability was introduced in versions 9.2.3, 9.3.0, and 9.4.0 of Bamboo Data Center and Server. This org.json:json Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS6.7AI score0.01449EPSS
Exploits1
Atlassian
Atlassian
added 2023/11/27 4:46 p.m.35 views

DoS (Denial of Service) net.minidev:json-smart Vulnerability in Confluence Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in version 5.7.1 of Confluence Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to...

7.5CVSS6.7AI score0.023EPSS
Exploits1
Atlassian
Atlassian
added 2023/10/06 5:44 p.m.35 views

jackson-databind Vulnerability in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 7.17.0, 7.21.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, and 8.13.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.5AI score0.01124EPSS
Exploits1
Atlassian
Atlassian
added 2023/07/06 7:54 a.m.35 views

Using the Jira Python library to make REST API calls with cookie auth bypasses Jira rate limiting

h3. Issue Summary When using the open-source Jira Python library|https://github.com/pycontribs/jira to make REST API calls to Jira, if cookie-based authentication|https://jira.readthedocs.io/examples.htmlcookie-based-authentication is used then Jira's rate limits will be bypassed. This can result...

6.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/03/16 5:14 a.m.35 views

Admin user can download audit logs without WebSudo validation

Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to bypass WebSudo validation in order to download audit logs, via a Broken Access Control vulnerability in the /auditing/export/download endpoint...

6.7AI score
Exploits0
Atlassian
Atlassian
added 2022/03/04 1:52 a.m.35 views

CVE-2021-43954: File and network resource enumeration via SSRF in DefaultRepositoryAdminService

Affected versions of Atlassian Fisheye and Crucible allow remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery SSRF vulnerability in the DefaultRepositoryAdminService class. When runni...

4.3CVSS5AI score0.00736EPSS
Exploits0
Atlassian
Atlassian
added 2021/10/18 4:31 a.m.35 views

Anonymous user can view names of private projects and filters via IDOR in Workload Pie Chart Gadget - CVE-2021-41307

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References IDOR vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.1...

7.5CVSS5.8AI score0.01621EPSS
Exploits0
Atlassian
Atlassian
added 2021/09/01 11:49 p.m.35 views

Replay attack via the CSRF failure retry form - CVE-2021-39124

The Cross-Site Request Forgery CSRF failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request. Affected versions: version 8.16.0 Fixed...

4.3CVSS5.4AI score0.00528EPSS
Exploits0
Atlassian
Atlassian
added 2021/07/27 12:52 a.m.35 views

Vulnerable version of Underscore.js used - CVE-2021-23358

Affected versions of Atlassian Jira Server and Data Center used Underscore.js 1.9.1, which was vulnerable to CVE-2021-23358|https://vulners.com/cve/CVE-2021-23358. The affected versions of Atlassian Jira Server and Data Center are before version 8.18.0. Affected versions: version 8.13.10 8.14.0 =...

7.2CVSS6.1AI score0.04087EPSS
Exploits2
Atlassian
Atlassian
added 2021/03/31 6:19 a.m.35 views

Information Disclosure using JQL function membersOf - CVE-2020-36286

The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to a publicly...

5.3CVSS5.3AI score0.0141EPSS
Exploits0
Atlassian
Atlassian
added 2021/03/18 11:45 p.m.35 views

Denial of Service via /rest/gadget/1.0/createdVsResolved/generate endpoint - CVE-2021-39123

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the /rest/gadget/1.0/createdVsResolved/generate endpoint. The affected versions are before version 8.16.0. Affected versions:...

7.5CVSS7.1AI score0.016EPSS
Exploits0
Atlassian
Atlassian
added 2021/02/03 10:53 p.m.35 views

Stored XSS via Custom Fields on Screens Modal - CVE-2020-36234

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14...

4.8CVSS5.1AI score0.01015EPSS
Exploits0
Atlassian
Atlassian
added 2021/01/22 5:27 p.m.35 views

Accessing the URL /chart?filename=<file_name> exposes sensitive information - CVE-2021-26067

Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions...

5.3CVSS4.6AI score0.0111EPSS
Exploits0
Atlassian
Atlassian
added 2020/07/28 1:4 a.m.35 views

Stored XSS in the Livesearch macro - CVE-2020-36290

The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 before 7.6.3, and from version 7.7.0 before version 7.7.4 allows remote attackers with permission to edit a page or blog to inject arbitrary HTML or JavaScript via a cross site scripting XSS...

5.4CVSS5.1AI score0.00597EPSS
Exploits0
Total number of security vulnerabilities4295