Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2018/02/05 4:40 p.m.36 views

Nested groups with uppercase letters cannot be removed from Confluence, after having been synced initially

h3. Summary Nested groups with uppercase letters cannot be removed from Confluence, after having been synced initially. If you synchronize nested groups with upper case letters into Confluence from Crowd / LDAP, and then update the external directory to remove the child groups, the groups will no...

6.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/01/12 4:33 a.m.36 views

XSS through the orderby parameter in the issue search resource - CVE-2017-16864

The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the orderby parameter...

6.1CVSS5.7AI score0.01165EPSS
Exploits0
Atlassian
Atlassian
added 2017/10/23 12:40 p.m.36 views

XSS Vulnerability in JIRA Issue Export

A search endpoint is vulnerable to an XSS injection in certain cases. Normally, the browser will urlencode its requests, but some proxy servers and load balancers will decode URL data by default. see http://stackoverflow.com/questions/31266629/nginx-encoding-normalizing-part-of-uri...

6.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/09/12 6:53 a.m.36 views

CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

The Confluence HipChat plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your Confluence instance you must have a HipChat integration established. To exploit this issue, attackers need to have access to a Confluen...

7.5CVSS0.9AI score0.03712EPSS
Exploits0
Atlassian
Atlassian
added 2016/09/12 6:27 a.m.36 views

CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

The HipChat for JIRA plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your JIRA instance you must have a HipChat integration established. To exploit this issue in JIRA versions 7.0.0 and higher, attackers need to...

7.5CVSS1AI score0.03712EPSS
Exploits0
Atlassian
Atlassian
added 2014/02/10 5:56 a.m.36 views

Security vulnerability in apache commons fileupload

Apache commons-fileupload 1.3.1 was released this weekend with a fix for CVE-2014-0050, involving a DoS attack when using specially crafted multipart requests. We need to determine if Confluence is vulnerable, and if so, upgrade to this version of the library...

7.5CVSS7.5AI score0.83175EPSS
Exploits8
Atlassian
Atlassian
added 2013/06/18 10:44 p.m.36 views

Parsing of external XML entities can be exploited to retrieve files or make HTTP requests on the target network

h3. Description This issue has been assigned CVE-2013-3925 by Mitre Corporation. Previously reported issue CVE-2012-2926 August 2012, CVSS score 6.4 was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing. The n...

5.8CVSS0.1AI score0.01758EPSS
Exploits1
Atlassian
Atlassian
added 2013/04/04 10:48 a.m.36 views

Editing "Global Templates" possible without admin login

If you are logged in to the admin panel you get the following line: quoteYou have temporary access to administrative functions. Drop access if you no longer require it. For more information, refer to the documentation.quote Pressing "Drop access" redirects you to the normal Wiki page, away from t...

7AI score
Exploits0
Atlassian
Atlassian
added 2013/01/02 4:17 a.m.36 views

Reflected xss in the jira-gadgets-plugin getLabelGroups rest resource

The jira-gadgets-plugin LabelsResource class exposes a getLabelGroups rest resource that is vulnerable to reflected xss through the user supplied 'project' path parameter. The vulnerability is caused by building an error response message with a content type of text/html and not html encoding the...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/11/05 2:56 a.m.36 views

On Windows, Fisheye attempts to make ssh keys private but appears to be unsucessful

While testing FE-4315 on Windows, I noticed that even when generating a private key using Fisheye, the files permissions do not appear to actually change. The code to make the file private is this, in FileSystemUtils: code if SystemUtils.ISOSWINDOWS String username = System.getenv"USERNAME"; Stri...

7.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/09/07 4:57 a.m.36 views

The application should return caching directives instructing browsers not to store local copies of any sensitive data.

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-29625. panel We want to control the server's caching directives from within individual scripts. We have identified following locations, where...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/02/06 8:21 p.m.36 views

Comment field on GH cards do not respect the comment visibility.

If you add the Comment field on any Issue Views on GH the field shows the latest comment but it doesn't inherit the comment visibility from Jira. This misbehaviour happens on Planning board and Task board with any GH views Summaries, Cards and Lists. Steps to Reproduce: Add the comment field to a...

0.5AI score
Exploits0
Atlassian
Atlassian
added 2011/09/07 10:10 p.m.37 views

View PDF Macro in Office Connector makes http fetch from Adobe from https session

The View PDF macro within the Office Connector plugin provides the following http URL even for https sessions when a user's browser fails the Flash installed test. http://www.adobe.com/images/shared/downloadbuttons/getflashplayer.gif It's bad form to mix http urls in with secured https sessions a...

6.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/07/27 11:58 p.m.36 views

Password History Count does not work for ATLASSIAN-SECURITY directories

Testing this locally on Crowd 227, I set the password history count to 1, then tried resetting my password through the interface and through 'Forgot Password' e-mail link, but was able to consistent use old passwords. I also expired the password, forcing a password change, but that also let me...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/19 12:57 a.m.36 views

Brute force protection on JIRA 4.1 leaks valid account names

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-21036. panel The brute force login protection in JIRA only activates when a real user account is accessed. This can be used by an attacker t...

1.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/02/07 1:44 a.m.36 views

Moving an issue from a project with Issue Security to a project without does not clear out the security

To reproduce this issue, do the following: Create Project AAA Create Project BBB Create an Issue Level Security Scheme, and assign it to AAA only Create a Clone of the Default Field Configuration Scheme. Hide the field Security Level on the Cloned copy. Assign the Cloned copy to BBB. Create a New...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/04/18 4:29 p.m.35 views

Information Disclosure in Confluence Data Center

This High severity Information Disclosure vulnerability was introduced in versions 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This Information Disclosure vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.8AI score0.00447EPSS
Exploits0
Atlassian
Atlassian
added 2024/11/06 6:11 a.m.35 views

Path Traversal org.springframework:spring-webmvc Dependency in Confluence Data Center and Server

This High severity org.springframework:spring-webmvc Dependency vulnerability was introduced in versions 3.0 of Confluence Data Center and Server. This org.springframework:spring-webmvc Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.1AI score0.14718EPSS
Exploits1
Atlassian
Atlassian
added 2024/10/10 8:18 p.m.35 views

Stored XSS in Confluence Data Center and Server

This High severity Stored XSS vulnerability was introduced in version 3.0 of Confluence Data Center and Server. This Stored XSS vulnerability, with a CVSS Score of 8.1, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to...

8.8CVSS9.1AI score0.72648EPSS
Exploits15
Atlassian
Atlassian
added 2024/07/11 12:17 a.m.35 views

DoS (Denial of Service) com.thoughtworks.xstream:xstream Dependency in Jira Service Management Data Center and Server

This High severity com.thoughtworks.xstream:xstream Dependency vulnerability was introduced in versions 5.4.0 of Jira Service Management Data Center and Server. This com.thoughtworks.xstream:xstream Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

8.2CVSS7.5AI score0.08689EPSS
Exploits1
Atlassian
Atlassian
added 2024/07/03 8:30 a.m.35 views

DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and Server

This High severity org.apache.commons:commons-compress Dependency vulnerability was introduced in versions 7.19.23, 8.5.10, 8.9.2 of Confluence Data Center and Server. This org.apache.commons:commons-compress Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.6AI score0.16157EPSS
Exploits0
Atlassian
Atlassian
added 2024/06/12 9:13 p.m.35 views

DoS (Denial of Service) org.apache.commons:commons-configuration2 Dependency in Confluence Data Center and Server

This High severity org.apache.commons:commons-configuration2 Dependency vulnerability was introduced in versions 1.0 of Confluence Data Center and Server. This org.apache.commons:commons-configuration2 Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

5.4CVSS7.1AI score0.01727EPSS
Exploits0
Atlassian
Atlassian
added 2024/06/12 9:12 p.m.35 views

DoS (Denial of Service) org.apache.commons:commons-configuration2 Dependency in Confluence Data Center and Server

This High severity org.apache.commons:commons-configuration2 Dependency vulnerability was introduced in versions 1.0 of Confluence Data Center and Server. This org.apache.commons:commons-configuration2 Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.3CVSS7.1AI score0.02054EPSS
Exploits0
Atlassian
Atlassian
added 2024/05/17 11:12 a.m.35 views

DoS (Denial of Service) com.thoughtworks.xstream:xstream Dependency in Jira Software Data Center and Server

This High severity com.thoughtworks.xstream:xstream Dependency vulnerability was introduced in versions 8.20.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, and 9.7.0 of Jira Software Data Center and Server. This com.thoughtworks.xstream:xstream Dependency vulnerability, with a CVSS Score of...

8.2CVSS7.5AI score0.08689EPSS
Exploits1
Atlassian
Atlassian
added 2024/04/25 5:10 p.m.35 views

DoS (Denial of Service) org.apache.struts:struts2-core Dependency in Crowd Data Center and Server

This High severity org.apache.struts:struts2-core Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.0 of Crowd Data Center and Server. This org.apache.struts:struts2-core Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.1AI score0.06286EPSS
Exploits0
Atlassian
Atlassian
added 2024/04/09 1:54 a.m.35 views

DoS (Denial of Service) com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and Server

This High severity com.fasterxml.jackson.core:jackson-databind Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.3 of Crowd Data Center and Server. This com.fasterxml.jackson.core:jackson-databind Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.1AI score0.02824EPSS
Exploits2
Atlassian
Atlassian
added 2023/12/14 7:45 a.m.35 views

DoS (Denial of Service) org.json:json Dependency in Bamboo Data Center and Server

This High severity org.json:json Dependency vulnerability was introduced in versions 9.2.3, 9.3.0, and 9.4.0 of Bamboo Data Center and Server. This org.json:json Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS6.7AI score0.01449EPSS
Exploits1
Atlassian
Atlassian
added 2023/11/27 4:46 p.m.35 views

DoS (Denial of Service) net.minidev:json-smart Vulnerability in Confluence Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in version 5.7.1 of Confluence Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to...

7.5CVSS6.7AI score0.023EPSS
Exploits1
Atlassian
Atlassian
added 2023/10/06 5:44 p.m.35 views

jackson-databind Vulnerability in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 7.17.0, 7.21.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, and 8.13.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.5AI score0.01124EPSS
Exploits1
Atlassian
Atlassian
added 2023/07/06 7:54 a.m.35 views

Using the Jira Python library to make REST API calls with cookie auth bypasses Jira rate limiting

h3. Issue Summary When using the open-source Jira Python library|https://github.com/pycontribs/jira to make REST API calls to Jira, if cookie-based authentication|https://jira.readthedocs.io/examples.htmlcookie-based-authentication is used then Jira's rate limits will be bypassed. This can result...

6.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/03/16 5:14 a.m.35 views

Admin user can download audit logs without WebSudo validation

Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to bypass WebSudo validation in order to download audit logs, via a Broken Access Control vulnerability in the /auditing/export/download endpoint...

6.7AI score
Exploits0
Atlassian
Atlassian
added 2022/03/04 1:52 a.m.35 views

CVE-2021-43954: File and network resource enumeration via SSRF in DefaultRepositoryAdminService

Affected versions of Atlassian Fisheye and Crucible allow remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery SSRF vulnerability in the DefaultRepositoryAdminService class. When runni...

4.3CVSS5AI score0.00736EPSS
Exploits0
Atlassian
Atlassian
added 2021/10/18 4:31 a.m.35 views

Anonymous user can view names of private projects and filters via IDOR in Workload Pie Chart Gadget - CVE-2021-41307

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References IDOR vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.1...

7.5CVSS5.8AI score0.01621EPSS
Exploits0
Atlassian
Atlassian
added 2021/09/01 11:49 p.m.35 views

Replay attack via the CSRF failure retry form - CVE-2021-39124

The Cross-Site Request Forgery CSRF failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request. Affected versions: version 8.16.0 Fixed...

4.3CVSS5.4AI score0.00511EPSS
Exploits0
Atlassian
Atlassian
added 2021/07/27 12:52 a.m.35 views

Vulnerable version of Underscore.js used - CVE-2021-23358

Affected versions of Atlassian Jira Server and Data Center used Underscore.js 1.9.1, which was vulnerable to CVE-2021-23358|https://vulners.com/cve/CVE-2021-23358. The affected versions of Atlassian Jira Server and Data Center are before version 8.18.0. Affected versions: version 8.13.10 8.14.0 =...

7.2CVSS6.1AI score0.04087EPSS
Exploits2
Atlassian
Atlassian
added 2021/07/02 12:53 a.m.35 views

Information disclosure issue in the comment notification feature - CVE-2021-39120

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to learn when a restricted comment is removed from an issue via an information disclosure vulnerability in the comment notification functionality. The affected versions are before version 8.18.0. Affected versions:...

5.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/03/31 6:19 a.m.35 views

Information Disclosure using JQL function membersOf - CVE-2020-36286

The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to a publicly...

5.3CVSS5.3AI score0.0141EPSS
Exploits0
Atlassian
Atlassian
added 2021/03/18 11:45 p.m.35 views

Denial of Service via /rest/gadget/1.0/createdVsResolved/generate endpoint - CVE-2021-39123

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the /rest/gadget/1.0/createdVsResolved/generate endpoint. The affected versions are before version 8.16.0. Affected versions:...

7.5CVSS7.1AI score0.01549EPSS
Exploits0
Atlassian
Atlassian
added 2021/02/03 10:53 p.m.35 views

Stored XSS via Custom Fields on Screens Modal - CVE-2020-36234

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14...

4.8CVSS5.1AI score0.01015EPSS
Exploits0
Atlassian
Atlassian
added 2021/01/22 5:27 p.m.35 views

Accessing the URL /chart?filename=<file_name> exposes sensitive information - CVE-2021-26067

Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions...

5.3CVSS4.6AI score0.0111EPSS
Exploits0
Atlassian
Atlassian
added 2020/07/28 1:4 a.m.35 views

Stored XSS in the Livesearch macro - CVE-2020-36290

The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 before 7.6.3, and from version 7.7.0 before version 7.7.4 allows remote attackers with permission to edit a page or blog to inject arbitrary HTML or JavaScript via a cross site scripting XSS...

5.4CVSS5.1AI score0.00597EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/22 1:50 a.m.35 views

Application DoS via the /rendering/wiki endpoint - CVE-2019-20418

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. Affected versions version 8.8.0 Fixed versions 8.8.0...

6.5CVSS6.9AI score0.01024EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/16 7:57 p.m.35 views

CSRF in the setup resources - CVE-2020-4018

The setup resources in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to complete the setup process via a cross-site request forgery CSRF vulnerability...

8.8CVSS8.3AI score0.0057EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/01 4:1 a.m.35 views

CSRF via Logging and Profiling feature - CVE-2019-20415

Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery CSRF vulnerability. Affected versions: version 7.13.3 8.0.0 ≤ version 8.1.0 Fixed versions: 7.13.3 8.1.0...

4.3CVSS4.9AI score0.00623EPSS
Exploits0
Atlassian
Atlassian
added 2020/03/24 1:48 a.m.35 views

Stored XSS via malicious file upload - CVE-2020-14173

The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability. Affected versions version 8.5.4 8.6.0 ≤ version ≤ 8.7.0 8.7.0 ≤ version 8.7.1 Fixed versions 8.5.4 8.7...

5.4CVSS5.3AI score0.00886EPSS
Exploits0
Atlassian
Atlassian
added 2020/03/24 1:35 a.m.35 views

DoS in avatar upload via crafted PNG file - CVE-2019-20897

The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. Affected versions version 8.5.4 8.6.0 ≤ version ≤ 8.7.0 8.7.0 ≤ version 8.7.1 Fixed versions 8.5.4 8.7.1 8.8.0...

6.5CVSS6.1AI score0.01875EPSS
Exploits0
Atlassian
Atlassian
added 2019/12/10 1:43 a.m.35 views

XSS in the the review resource through the name of a missing branch - CVE-2019-15007

The review resource in Atlassian Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the name of a missing branch...

4.8CVSS4.4AI score0.00596EPSS
Exploits0
Atlassian
Atlassian
added 2019/09/26 4:19 p.m.35 views

Improper Authorization in Bambooo through ATST Plugin - CVE-2019-15005

The Atlassian Troubleshooting and Support Tools ATST plugin prior to version 1.17.2 which was used in Bamboo before version 6.10.2, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email...

4.3CVSS3.6AI score0.01334EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/09/03 6:28 p.m.35 views

Clicking on <agent> of a build result reveals details of all run builds, not only for the ones for which a non-Admin user has View permission

h3. Issue Summary h3. Environment This issue is approved to happen for Bamboo version 6.7.2 and 6.9.1, likely it happens for all Bamboo versions. h3. Steps to Reproduce Define a non-Admin user a Bamboo admin should already exist via installation Provide global, project and plan permissions,...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/12 2:43 a.m.35 views

Disclosure of issue key validity & issue attachment names in the render api resource - CVE-2019-14995

The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to determine if an attachment with a specific name exists and if an issue key is valid via a missing permissions check...

5.3CVSS5.4AI score0.03012EPSS
Exploits1
Total number of security vulnerabilities4295