Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2022/03/04 1:52 a.m.35 views

CVE-2021-43954: File and network resource enumeration via SSRF in DefaultRepositoryAdminService

Affected versions of Atlassian Fisheye and Crucible allow remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery SSRF vulnerability in the DefaultRepositoryAdminService class. When runni...

4.3CVSS5AI score0.00736EPSS
Exploits0
Atlassian
Atlassian
added 2021/10/18 4:31 a.m.35 views

Anonymous user can view names of private projects and filters via IDOR in Workload Pie Chart Gadget - CVE-2021-41307

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References IDOR vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.1...

7.5CVSS5.8AI score0.01621EPSS
Exploits0
Atlassian
Atlassian
added 2021/09/01 11:49 p.m.35 views

Replay attack via the CSRF failure retry form - CVE-2021-39124

The Cross-Site Request Forgery CSRF failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request. Affected versions: version 8.16.0 Fixed...

4.3CVSS5.4AI score0.00528EPSS
Exploits0
Atlassian
Atlassian
added 2021/07/27 12:52 a.m.35 views

Vulnerable version of Underscore.js used - CVE-2021-23358

Affected versions of Atlassian Jira Server and Data Center used Underscore.js 1.9.1, which was vulnerable to CVE-2021-23358|https://vulners.com/cve/CVE-2021-23358. The affected versions of Atlassian Jira Server and Data Center are before version 8.18.0. Affected versions: version 8.13.10 8.14.0 =...

7.2CVSS6.1AI score0.04087EPSS
Exploits2
Atlassian
Atlassian
added 2021/03/31 6:19 a.m.35 views

Information Disclosure using JQL function membersOf - CVE-2020-36286

The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to a publicly...

5.3CVSS5.3AI score0.0141EPSS
Exploits0
Atlassian
Atlassian
added 2021/03/18 11:45 p.m.35 views

Denial of Service via /rest/gadget/1.0/createdVsResolved/generate endpoint - CVE-2021-39123

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the /rest/gadget/1.0/createdVsResolved/generate endpoint. The affected versions are before version 8.16.0. Affected versions:...

7.5CVSS7.1AI score0.016EPSS
Exploits0
Atlassian
Atlassian
added 2021/02/03 10:53 p.m.35 views

Stored XSS via Custom Fields on Screens Modal - CVE-2020-36234

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14...

4.8CVSS5.1AI score0.01015EPSS
Exploits0
Atlassian
Atlassian
added 2021/01/22 5:27 p.m.35 views

Accessing the URL /chart?filename=<file_name> exposes sensitive information - CVE-2021-26067

Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions...

5.3CVSS4.6AI score0.0111EPSS
Exploits0
Atlassian
Atlassian
added 2020/11/19 12:28 a.m.35 views

Information disclosure of product SEN via the x-asen response header - CVE-2020-14192

Affected versions of Atlassian Fisheye and Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fixed versions:...

4.3CVSS5.1AI score0.00868EPSS
Exploits0
Atlassian
Atlassian
added 2020/05/28 5:26 a.m.35 views

XSS in the review coverage resource through the committerFilter parameter- CVE-2020-4023

The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting XSS vulnerability through the committerFilter parameter. Affected versions: version 4.8.2 Fixed versions: 4.8.2 4.9.0...

5.4CVSS5AI score0.00772EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/22 1:50 a.m.35 views

Application DoS via the /rendering/wiki endpoint - CVE-2019-20418

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. Affected versions version 8.8.0 Fixed versions 8.8.0...

6.5CVSS6.9AI score0.01024EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/16 7:57 p.m.35 views

CSRF in the setup resources - CVE-2020-4018

The setup resources in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to complete the setup process via a cross-site request forgery CSRF vulnerability...

8.8CVSS8.3AI score0.0057EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/16 7:38 p.m.35 views

Information disclosure in the /plugins/servlet/jira-blockers/ resource in the crucible-jira-ril plugin - CVE-2020-4016

The /plugins/servlet/jira-blockers/ resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to get the ID of configured Jira application links via an information disclosure vulnerability...

5.3CVSS5.2AI score0.01245EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/16 6:58 p.m.35 views

Improper authorization vulnerablity in the /profile/deleteWatch.do resource- CVE-2020-4014

The /profile/deleteWatch.do resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to remove another user's watching settings for a repository via an improper authorization vulnerability...

4.3CVSS5.1AI score0.00765EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/01 4:1 a.m.35 views

CSRF via Logging and Profiling feature - CVE-2019-20415

Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery CSRF vulnerability. Affected versions: version 7.13.3 8.0.0 ≤ version 8.1.0 Fixed versions: 7.13.3 8.1.0...

4.3CVSS4.9AI score0.00623EPSS
Exploits0
Atlassian
Atlassian
added 2020/03/24 1:48 a.m.35 views

Stored XSS via malicious file upload - CVE-2020-14173

The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability. Affected versions version 8.5.4 8.6.0 ≤ version ≤ 8.7.0 8.7.0 ≤ version 8.7.1 Fixed versions 8.5.4 8.7...

5.4CVSS5.3AI score0.00886EPSS
Exploits0
Atlassian
Atlassian
added 2020/03/24 1:35 a.m.35 views

DoS in avatar upload via crafted PNG file - CVE-2019-20897

The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. Affected versions version 8.5.4 8.6.0 ≤ version ≤ 8.7.0 8.7.0 ≤ version 8.7.1 Fixed versions 8.5.4 8.7.1 8.8.0...

6.5CVSS6.1AI score0.01875EPSS
Exploits0
Atlassian
Atlassian
added 2020/01/29 11:18 p.m.35 views

Improper authorization on support files vulnerability in Jira - CVE-2019-20402

Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability...

4.9CVSS5.5AI score0.00766EPSS
Exploits0
Atlassian
Atlassian
added 2019/09/26 4:6 p.m.35 views

Improper Authorization in Crowd through ATST Plugin - CVE-2019-15005

The Atlassian Troubleshooting and Support Tools ATST plugin prior to version 1.17.2 which was used in Crowd & Crowd Data Center before version 3.6.0, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization...

4.3CVSS3.9AI score0.01334EPSS
Exploits0
Atlassian
Atlassian
added 2018/09/17 12:39 p.m.35 views

The administrative smart-commits resource was vulnerable to Cross-site request forgery (CSRF) - CVE-2018-13398

The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery CSRF vulnerability...

6.5CVSS6AI score0.00534EPSS
Exploits0
Atlassian
Atlassian
added 2018/04/10 3:28 a.m.35 views

Missing authentication checks in various administrative system import resources - CVE-2017-18101

Various administrative external system import resources in Atlassian JIRA Server including JIRA Core before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if ...

6.5CVSS6.2AI score0.01121EPSS
Exploits0
Atlassian
Atlassian
added 2018/04/10 3:18 a.m.35 views

XSS in the agile wallboard gadget through quick filter names - CVE-2017-18100

The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the name of quick filters. h3. Workaround Disable the gadget. - Navigate to Administration Add-ons Manage add-ons and se...

6.1CVSS5.7AI score0.00945EPSS
Exploits0
Atlassian
Atlassian
added 2018/02/02 12:12 a.m.35 views

Path traversal through the name of a git tag in the git repository tag rest resource - CVE-2017-18037

The git repository tag rest resource in Atlassian Bitbucket Server from version 3.7.0 before 4.14.11 the fixed version for 4.14.x, from version 5.0.0 before 5.0.9 the fixed version for 5.0.x, from version 5.1.0 before 5.1.8 the fixed version for 5.1.x, from version 5.2.0 before 5.2.6 the fixed...

6.5CVSS4.7AI score0.01328EPSS
Exploits0
Atlassian
Atlassian
added 2018/02/02 12:11 a.m.35 views

XSS in the viewdefaultdecorator resource through the key parameter - CVE-2017-18085

The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the key parameter...

6.1CVSS4.8AI score0.00825EPSS
Exploits0
Atlassian
Atlassian
added 2016/09/12 6:15 a.m.35 views

CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

The Atlassian Hipchat Integration Plugin for Bitbucket Server exposed the secret key it used to communicate with a linked HipChat service in various administration pages. For this vulnerability to affect your Bitbucket Server instance you must have a HipChat integration established. To exploit th...

7.5CVSS3.2AI score0.03743EPSS
Exploits0
Atlassian
Atlassian
added 2015/10/26 8:4 p.m.35 views

Rest API XSS

An unauthenticated XSS vulnerability has been confirmed in confluence 5.8.15 and 5.8.14. The vulnerability is located at /rest/prototype/1/session/check/something POC URL: http:///confpath/rest/prototype/1/session/check/something%3Cimg%20src%3da%20onerror%3dalert%280%29%3E This was confirmed in t...

6.1CVSS5.9AI score0.02302EPSS
Exploits4
Atlassian
Atlassian
added 2015/06/10 5:24 a.m.35 views

CVE-2015-4136: SSH Authorisation permitted for a user with hard-coded credentials in Windows Stock Image (Windows Server 2012 R2) AMI

In Bamboo 5.8.0 and 5.8.1 the Windows Stock Image Windows Server 2012 R2 AMI contain a 'bamboo' user which is configured with a publicly known password. While the 'bamboo' user is not allowed RDP access it was permitted to login through SSH on instances using the affected AMI. In the event that a...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/11/21 8:54 a.m.35 views

Restricted page at the Home Page layer is shown at the sidebar page tree

h3. Problem The page which is restricted to user A only is shown on the page tree and the left sidebar when the page is at the top level of the page tree which is at the same level at the home page. This is replicable on my dev instance. Create a test space. Create Page A and make sure the locati...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/07/25 7:30 a.m.35 views

XSS using WebFragmentBuilder for WebItemProvider

The label is not escaped properly when using WebFragmentBuilder to generate links for JIRA's nav dropdown. This only happens when is not present in the relevant WebSection...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/06/05 7:15 a.m.35 views

Domain restricted signup is creating enabled users on ApacheDS

When a user signs up to a Confluence instance that has domain restricted sign up enabled, they are normally created as disabled users and are unable to login. However, when the underlying user directory does not support disabling users, such as ApacheDS 1.5, then the user ends up being created as...

6.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/10/01 10:59 a.m.35 views

Inaccessible page titles leaked by Share Page API

The Share Page API exposes a REST endpoint that is available to authenticated users of Confluence. It is possible for any user to share any page simply by specifying the corresponding numeric id and the resulting notification includes the title of the shared page. In particular, a user may obtain...

6.6AI score
Exploits0
Atlassian
Atlassian
added 2013/08/20 2:11 a.m.35 views

Regression - "Browse Project" permission for "Reporter" grants users to see projects they are not permitted to.

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-34389. panel Regression of JRA-4935 When i add the "Reporter" to the "Browse Project" Permission of one project. This project instantly becom...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/02/15 3:28 p.m.35 views

Grant "Browse Project" permission to "Current Assignee" makes project visible to all users

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report|http://jira.atlassian.com/browse/JRASERVER-31720. panel panel:title=Status Update|borderStyle=solid|borderColor=ff7f7f|titleBGColor=ff7f7f|bgColor=e5e5e5 Hi everyone, We have reviewed...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/12/17 7:35 p.m.35 views

Encrypt Database Password in dbconfig.xml or use integrated authentication

panel:title=Atlassian Update – 5 January 2016|borderStyle=solid|borderColor=ebf2f9 | titleBGColor=ebf2f9 | bgColor=ffffff Hi everyone, Thanks for voting and commenting on this issue. While we understand the importance of this issue for our customers with strict password encryption requirements, w...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/04/12 2:24 p.m.35 views

Confluence Page View Restriction is not Inherited when Ancestor CONFANCESTORS Table Gets out of Sync

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-25189. panel When Confluence ancestor CONFANCESTORS table gets out of sync or corrupted. Page View restriction are not inherited...

Exploits0Affected Software1
Atlassian
Atlassian
added 2012/01/03 3:5 a.m.35 views

Upgrade Tomcat to latest minor version

See http://www.cvedetails.com/cve/CVE-2011-4084/. We're shipping 6.0.32 at the moment...

0.8AI score
Exploits5Affected Software1
Atlassian
Atlassian
added 2012/01/03 3:5 a.m.35 views

Upgrade Tomcat to latest minor version

See http://www.cvedetails.com/cve/CVE-2011-4084/. We're shipping 6.0.32 at the moment...

0.8AI score
Exploits5
Atlassian
Atlassian
added 2010/08/04 10:49 a.m.35 views

Display Last-Login-Date for the User

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-21933. panel Dear Atlassian! I don't know whether a ticket like this already exits or was solved, but I couln't find any. We would like to...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/02/18 8:8 p.m.35 views

Issue security based on workflow status

I would be great if permission types could be associated with workflow status. What we would like to do is limit the ability to edit an issue by the reporter to a specific workflow status. Using the issue security scheme is not possible since the reporter should always be allowed to view the issu...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/11/03 1:10 a.m.35 views

Logging event information is not HTML encoded in 500 error page

The Confluence 500 error page lists logging events generated during the request the produced the 500 error page. The strings rendered from this event are not HTML encoded, leaving open a chance for an attacker to exploit this via XSS. I haven't yet investigated to see whether this is actually...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2025/02/13 9:17 p.m.34 views

Path Traversal (Arbitrary Read/Write) org.springframework:spring-webmvc Dependency in Jira Software Data Center and Server

This High severity org.springframework:spring-webmvc Dependency vulnerability was introduced in versions 9.12.0 Jira Software Data Center and Server. This org.springframework:spring-webmvc Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7AI score
Exploits0
Atlassian
Atlassian
added 2024/08/15 2:50 p.m.34 views

Reflected XSS and CSRF (Cross-Site Request Forgery) in Confluence Data Center and Server

This High severity Reflected XSS and CSRF Cross-Site Request Forgery vulnerability was introduced in versions 4.3 of Confluence Data Center and Server. This Reflected XSS and CSRF Cross-Site Request Forgery vulnerability, with a CVSS Score of 7.1, allows an unauthenticated attacker to execute...

8.2CVSS6.9AI score0.00712EPSS
Exploits0
Atlassian
Atlassian
added 2022/03/15 7:56 p.m.34 views

Jira Software Server Template RCE via Email Templates feature

This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Software Server and Data Center allow a system administrator to execute arbitrary code via a remote code execution in the...

7.2CVSS6.5AI score0.02225EPSS
Exploits0
Atlassian
Atlassian
added 2021/11/02 9:56 a.m.34 views

Upgrade Confluence to latest Adopt OpenJDK versions 11.0.13

h3. Issue Summary Upgrade Confluence to latest Adopt OpenJDK versions 11.0.13...

3.2AI score
Exploits0
Atlassian
Atlassian
added 2021/05/06 8:5 a.m.34 views

Stored XSS on Jira Issue XML Export - CVE-2021-26082

Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in XML Export. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0. Affected...

5.4CVSS5.1AI score0.00735EPSS
Exploits0
Atlassian
Atlassian
added 2021/03/01 8:35 p.m.35 views

Blind SSRF in widgetConnector - CVE-2021-26072

Affected versions of Atlassian Confluence Server allow remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery SSRF vulnerability in the widgetconnector plugin. When running in an environment like Amazon EC2, this flaw may be used to access...

4.3CVSS2.8AI score0.38845EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/01/21 9:12 a.m.34 views

Unauthenticated information leakage of temporary files and project keys - CVE-2021-26069

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/\id/ActionsAndOperations API endpoint. The affected versions are before...

5.3CVSS5.4AI score0.02508EPSS
Exploits0
Atlassian
Atlassian
added 2020/11/04 7:26 a.m.34 views

User has access to project and repository after global permission has been removed

h3. Problem User has access to project and repository after global permission has been removed. Conversely, a user in this affected state will be greeted with "permission denied" even after the global permission has been re-granted to the user. h3. Environment - Tested on 7.5 and 7.3 h3. Steps to...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/05/28 5:26 a.m.34 views

XSS in the review coverage resource through the committerFilter parameter- CVE-2020-4023

The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting XSS vulnerability through the committerFilter parameter. Affected versions: version 4.8.2 Fixed versions: 4.8.2 4.9.0...

5.4CVSS5.1AI score0.00772EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/16 6:36 p.m.34 views

XSS in the review resource through objectives - CVE-2020-4013

The review resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting XSS vulnerability through the review objectives...

5.4CVSS5.1AI score0.00628EPSS
Exploits0
Total number of security vulnerabilities4295