Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2020/04/22 1:50 a.m.35 views

Application DoS via the /rendering/wiki endpoint - CVE-2019-20418

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. Affected versions version 8.8.0 Fixed versions 8.8.0...

6.5CVSS6.9AI score0.01024EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/16 7:57 p.m.35 views

CSRF in the setup resources - CVE-2020-4018

The setup resources in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to complete the setup process via a cross-site request forgery CSRF vulnerability...

8.8CVSS8.3AI score0.0057EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/01 4:1 a.m.35 views

CSRF via Logging and Profiling feature - CVE-2019-20415

Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery CSRF vulnerability. Affected versions: version 7.13.3 8.0.0 ≤ version 8.1.0 Fixed versions: 7.13.3 8.1.0...

4.3CVSS4.9AI score0.00623EPSS
Exploits0
Atlassian
Atlassian
added 2020/03/24 1:48 a.m.35 views

Stored XSS via malicious file upload - CVE-2020-14173

The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability. Affected versions version 8.5.4 8.6.0 ≤ version ≤ 8.7.0 8.7.0 ≤ version 8.7.1 Fixed versions 8.5.4 8.7...

5.4CVSS5.3AI score0.00886EPSS
Exploits0
Atlassian
Atlassian
added 2020/03/24 1:35 a.m.35 views

DoS in avatar upload via crafted PNG file - CVE-2019-20897

The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. Affected versions version 8.5.4 8.6.0 ≤ version ≤ 8.7.0 8.7.0 ≤ version 8.7.1 Fixed versions 8.5.4 8.7.1 8.8.0...

6.5CVSS6.1AI score0.01875EPSS
Exploits0
Atlassian
Atlassian
added 2019/12/10 1:43 a.m.35 views

XSS in the the review resource through the name of a missing branch - CVE-2019-15007

The review resource in Atlassian Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the name of a missing branch...

4.8CVSS4.4AI score0.00596EPSS
Exploits0
Atlassian
Atlassian
added 2019/09/26 4:19 p.m.35 views

Improper Authorization in Bambooo through ATST Plugin - CVE-2019-15005

The Atlassian Troubleshooting and Support Tools ATST plugin prior to version 1.17.2 which was used in Bamboo before version 6.10.2, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email...

4.3CVSS3.6AI score0.01334EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/06/28 12:30 a.m.35 views

Path traversal Vulnerability in the review attachment resource - CVE-2017-16859

The review attachment resource in Atlassian Fisheye and Crucible before version 4.3.2, from version 4.4.0 before 4.4.3 and before version 4.5.0 allows remote attackers to read files contained within context path of the running application through a path traversal vulnerability in the command...

6.5CVSS5.1AI score0.02525EPSS
Exploits0
Atlassian
Atlassian
added 2018/04/10 3:28 a.m.35 views

Missing authentication checks in various administrative system import resources - CVE-2017-18101

Various administrative external system import resources in Atlassian JIRA Server including JIRA Core before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if ...

6.5CVSS6.2AI score0.01121EPSS
Exploits0
Atlassian
Atlassian
added 2018/04/10 3:18 a.m.35 views

XSS in the agile wallboard gadget through quick filter names - CVE-2017-18100

The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the name of quick filters. h3. Workaround Disable the gadget. - Navigate to Administration Add-ons Manage add-ons and se...

6.1CVSS5.7AI score0.00945EPSS
Exploits0
Atlassian
Atlassian
added 2018/02/02 12:12 a.m.35 views

Path traversal through the name of a git tag in the git repository tag rest resource - CVE-2017-18037

The git repository tag rest resource in Atlassian Bitbucket Server from version 3.7.0 before 4.14.11 the fixed version for 4.14.x, from version 5.0.0 before 5.0.9 the fixed version for 5.0.x, from version 5.1.0 before 5.1.8 the fixed version for 5.1.x, from version 5.2.0 before 5.2.6 the fixed...

6.5CVSS4.7AI score0.01328EPSS
Exploits0
Atlassian
Atlassian
added 2018/02/02 12:11 a.m.35 views

XSS in the viewdefaultdecorator resource through the key parameter - CVE-2017-18085

The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the key parameter...

6.1CVSS4.8AI score0.00825EPSS
Exploits0
Atlassian
Atlassian
added 2018/01/18 10:44 a.m.35 views

Missing permission check in review coverage REST endpoint - CVE-2017-18035

The /rest/review-coverage-chart/1.0/data//.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistic...

4.3CVSS5.3AI score0.00803EPSS
Exploits0
Atlassian
Atlassian
added 2017/05/08 5:5 a.m.36 views

Command Injection (CVE-2017-8768)

SourceTree for Windows is affected by a command injection vulnerability in URI handling. The vulnerability can be triggered through a browser or the SourceTree interface. Affected versions: Versions of SourceTree for Windows starting with 0.8.4b before version 2.0.20.1 are affected by this...

10CVSS3.1AI score0.08262EPSS
Exploits0
Atlassian
Atlassian
added 2016/09/12 6:15 a.m.35 views

CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

The Atlassian Hipchat Integration Plugin for Bitbucket Server exposed the secret key it used to communicate with a linked HipChat service in various administration pages. For this vulnerability to affect your Bitbucket Server instance you must have a HipChat integration established. To exploit th...

7.5CVSS3.2AI score0.03743EPSS
Exploits0
Atlassian
Atlassian
added 2015/10/26 8:4 p.m.35 views

Rest API XSS

An unauthenticated XSS vulnerability has been confirmed in confluence 5.8.15 and 5.8.14. The vulnerability is located at /rest/prototype/1/session/check/something POC URL: http:///confpath/rest/prototype/1/session/check/something%3Cimg%20src%3da%20onerror%3dalert%280%29%3E This was confirmed in t...

6.1CVSS5.9AI score0.02302EPSS
Exploits4
Atlassian
Atlassian
added 2015/06/10 5:24 a.m.35 views

CVE-2015-4136: SSH Authorisation permitted for a user with hard-coded credentials in Windows Stock Image (Windows Server 2012 R2) AMI

In Bamboo 5.8.0 and 5.8.1 the Windows Stock Image Windows Server 2012 R2 AMI contain a 'bamboo' user which is configured with a publicly known password. While the 'bamboo' user is not allowed RDP access it was permitted to login through SSH on instances using the affected AMI. In the event that a...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/11/21 8:54 a.m.35 views

Restricted page at the Home Page layer is shown at the sidebar page tree

h3. Problem The page which is restricted to user A only is shown on the page tree and the left sidebar when the page is at the top level of the page tree which is at the same level at the home page. This is replicable on my dev instance. Create a test space. Create Page A and make sure the locati...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/07/25 7:30 a.m.35 views

XSS using WebFragmentBuilder for WebItemProvider

The label is not escaped properly when using WebFragmentBuilder to generate links for JIRA's nav dropdown. This only happens when is not present in the relevant WebSection...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/06/05 7:15 a.m.35 views

Domain restricted signup is creating enabled users on ApacheDS

When a user signs up to a Confluence instance that has domain restricted sign up enabled, they are normally created as disabled users and are unable to login. However, when the underlying user directory does not support disabling users, such as ApacheDS 1.5, then the user ends up being created as...

6.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/10/01 10:59 a.m.35 views

Inaccessible page titles leaked by Share Page API

The Share Page API exposes a REST endpoint that is available to authenticated users of Confluence. It is possible for any user to share any page simply by specifying the corresponding numeric id and the resulting notification includes the title of the shared page. In particular, a user may obtain...

6.6AI score
Exploits0
Atlassian
Atlassian
added 2013/08/20 2:11 a.m.35 views

Regression - "Browse Project" permission for "Reporter" grants users to see projects they are not permitted to.

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-34389. panel Regression of JRA-4935 When i add the "Reporter" to the "Browse Project" Permission of one project. This project instantly becom...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/12/17 7:35 p.m.35 views

Encrypt Database Password in dbconfig.xml or use integrated authentication

panel:title=Atlassian Update – 5 January 2016|borderStyle=solid|borderColor=ebf2f9 | titleBGColor=ebf2f9 | bgColor=ffffff Hi everyone, Thanks for voting and commenting on this issue. While we understand the importance of this issue for our customers with strict password encryption requirements, w...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/04/12 2:24 p.m.35 views

Confluence Page View Restriction is not Inherited when Ancestor CONFANCESTORS Table Gets out of Sync

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-25189. panel When Confluence ancestor CONFANCESTORS table gets out of sync or corrupted. Page View restriction are not inherited...

Exploits0Affected Software1
Atlassian
Atlassian
added 2012/01/03 3:5 a.m.35 views

Upgrade Tomcat to latest minor version

See http://www.cvedetails.com/cve/CVE-2011-4084/. We're shipping 6.0.32 at the moment...

0.8AI score
Exploits5
Atlassian
Atlassian
added 2012/01/03 3:5 a.m.35 views

Upgrade Tomcat to latest minor version

See http://www.cvedetails.com/cve/CVE-2011-4084/. We're shipping 6.0.32 at the moment...

0.8AI score
Exploits5Affected Software1
Atlassian
Atlassian
added 2008/11/03 1:10 a.m.35 views

Logging event information is not HTML encoded in 500 error page

The Confluence 500 error page lists logging events generated during the request the produced the 500 error page. The strings rendered from this event are not HTML encoded, leaving open a chance for an attacker to exploit this via XSS. I haven't yet investigated to see whether this is actually...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2025/02/13 9:17 p.m.34 views

Path Traversal (Arbitrary Read/Write) org.springframework:spring-webmvc Dependency in Jira Software Data Center and Server

This High severity org.springframework:spring-webmvc Dependency vulnerability was introduced in versions 9.12.0 Jira Software Data Center and Server. This org.springframework:spring-webmvc Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7AI score
Exploits0
Atlassian
Atlassian
added 2024/08/15 2:50 p.m.34 views

Reflected XSS and CSRF (Cross-Site Request Forgery) in Confluence Data Center and Server

This High severity Reflected XSS and CSRF Cross-Site Request Forgery vulnerability was introduced in versions 4.3 of Confluence Data Center and Server. This Reflected XSS and CSRF Cross-Site Request Forgery vulnerability, with a CVSS Score of 7.1, allows an unauthenticated attacker to execute...

8.2CVSS6.9AI score0.00712EPSS
Exploits0
Atlassian
Atlassian
added 2022/03/15 7:56 p.m.34 views

Jira Software Server Template RCE via Email Templates feature

This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Software Server and Data Center allow a system administrator to execute arbitrary code via a remote code execution in the...

7.2CVSS6.5AI score0.02225EPSS
Exploits0
Atlassian
Atlassian
added 2021/11/02 9:56 a.m.34 views

Upgrade Confluence to latest Adopt OpenJDK versions 11.0.13

h3. Issue Summary Upgrade Confluence to latest Adopt OpenJDK versions 11.0.13...

3.2AI score
Exploits0
Atlassian
Atlassian
added 2021/05/06 8:5 a.m.34 views

Stored XSS on Jira Issue XML Export - CVE-2021-26082

Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in XML Export. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0. Affected...

5.4CVSS5.1AI score0.00735EPSS
Exploits0
Atlassian
Atlassian
added 2021/01/21 9:12 a.m.34 views

Unauthenticated information leakage of temporary files and project keys - CVE-2021-26069

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/\id/ActionsAndOperations API endpoint. The affected versions are before...

5.3CVSS5.4AI score0.02508EPSS
Exploits0
Atlassian
Atlassian
added 2020/11/19 12:28 a.m.34 views

Information disclosure of product SEN via the x-asen response header - CVE-2020-14192

Affected versions of Atlassian Fisheye and Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fixed versions:...

4.3CVSS5.1AI score0.00868EPSS
Exploits0
Atlassian
Atlassian
added 2020/05/28 5:26 a.m.34 views

XSS in the review coverage resource through the committerFilter parameter- CVE-2020-4023

The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting XSS vulnerability through the committerFilter parameter. Affected versions: version 4.8.2 Fixed versions: 4.8.2 4.9.0...

5.4CVSS5AI score0.00772EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/16 7:57 p.m.34 views

CSRF in the setup resources - CVE-2020-4018

The setup resources in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to complete the setup process via a cross-site request forgery CSRF vulnerability...

8.8CVSS8.3AI score0.0057EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/16 7:38 p.m.34 views

Information disclosure in the /plugins/servlet/jira-blockers/ resource in the crucible-jira-ril plugin - CVE-2020-4016

The /plugins/servlet/jira-blockers/ resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to get the ID of configured Jira application links via an information disclosure vulnerability...

5.3CVSS5.2AI score0.01245EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/16 6:58 p.m.34 views

Improper authorization vulnerablity in the /profile/deleteWatch.do resource- CVE-2020-4014

The /profile/deleteWatch.do resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to remove another user's watching settings for a repository via an improper authorization vulnerability...

4.3CVSS5.1AI score0.00765EPSS
Exploits0
Atlassian
Atlassian
added 2020/01/30 9:25 p.m.34 views

Improper authorization on project titles vulnerability in Jira - CVE-2019-20404

The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability. h3. Note on fix The fix was tested internally before backporting it and no issues were...

4.3CVSS5.1AI score0.01297EPSS
Exploits0
Atlassian
Atlassian
added 2020/01/29 11:18 p.m.34 views

Improper authorization on support files vulnerability in Jira - CVE-2019-20402

Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability...

4.9CVSS4.6AI score0.00766EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/01/28 3:52 a.m.34 views

Jira Server Comment Permissions Broken Access Control Bug - CVE-2019-20106

Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug...

4.3CVSS5AI score0.01191EPSS
Exploits0
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.34 views

Information disclosure in the listEntityLinks servlet resource of the Application links plugin - CVE-2019-15011

The version of the Application Links plugin used in Fisheye before version 4.7.1 allows remote attackers to obtain information about configured application links via a missing permissions check. See https://ecosystem.atlassian.net/browse/APL-1386 for more details...

4.3CVSS2.9AI score0.00915EPSS
Exploits0
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.34 views

Information disclosure in the listEntityLinks servlet resource of the Application links plugin - CVE-2019-15011

The version of the Application Links plugin used in Bamboo before version 6.8.2 allows remote attackers to obtain information about configured application links via a missing permissions check. See https://ecosystem.atlassian.net/browse/APL-1386 for more details...

4.3CVSS3AI score0.00915EPSS
Exploits0
Atlassian
Atlassian
added 2019/09/26 4:6 p.m.34 views

Improper Authorization in Crowd through ATST Plugin - CVE-2019-15005

The Atlassian Troubleshooting and Support Tools ATST plugin prior to version 1.17.2 which was used in Crowd & Crowd Data Center before version 3.6.0, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization...

4.3CVSS3.9AI score0.01334EPSS
Exploits0
Atlassian
Atlassian
added 2019/08/09 3:48 a.m.34 views

The ViewLogging class exposed various resources that were vulnerable to CSRF - CVE-2019-11587

Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery CSRF...

6.5CVSS5.9AI score0.00799EPSS
Exploits0
Atlassian
Atlassian
added 2019/06/23 10:48 p.m.34 views

Denial of service in issue searching through Epic Name ordering - CVE-2019-11583

The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by "Epic Name"...

6.5CVSS5.8AI score0.01501EPSS
Exploits0
Atlassian
Atlassian
added 2019/04/29 4:15 a.m.34 views

Information disclosure in the BrowseProjects.jspa resource - CVE-2019-3399

The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check...

7.5CVSS7.1AI score0.0205EPSS
Exploits0
Atlassian
Atlassian
added 2019/04/29 3:47 a.m.34 views

Authorisation bypass in the ViewUpgrades resource - CVE-2019-8443

The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to...

8.1CVSS7.8AI score0.02618EPSS
Exploits0
Atlassian
Atlassian
added 2019/02/21 3:25 a.m.34 views

Sending a specific stream of data on the Hazelcast 5701 port can lead to Bitbucket being unavailable

h3. Issue Summary Specific data streams can cause Bitbucket nodes to become unresponsive. The following can be found in the logs: noformat WARN hz.hazelcast.IO.thread-Acceptor c.h.nio.tcp.SocketAcceptorThread :5701 3.7.4-atlassian-43 java.io.UTFDataFormatException: Rejecting request to read...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/01/23 7:19 p.m.34 views

Argument Injection via Mercurial hooks in Sourcetree for Windows - CVE-2018-20235

There was an argument injection vulnerability in Sourcetree for Windows via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. h4. Affected...

9CVSS3.9AI score0.06686EPSS
Exploits0Affected Software1
Total number of security vulnerabilities4295