Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2018/12/03 2:27 a.m.34 views

XSS in the two-dimensional filter statistics gadget on a Jira dashboard - CVE-2018-13403

The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the name of ...

5.4CVSS3.2AI score0.00944EPSS
Exploits0
Atlassian
Atlassian
added 2018/10/23 12:24 a.m.34 views

Open redirect in many resources - CVE-2018-13402

Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before versio...

6.1CVSS4.6AI score0.01363EPSS
Exploits0
Atlassian
Atlassian
added 2018/09/17 12:39 p.m.34 views

The administrative smart-commits resource was vulnerable to Cross-site request forgery (CSRF) - CVE-2018-13398

The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery CSRF vulnerability...

6.5CVSS6AI score0.00534EPSS
Exploits0
Atlassian
Atlassian
added 2018/08/27 6:17 a.m.34 views

XSS in various resources when moving issues through the Epic Colour field of an issue - CVE-2018-13395

Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML ...

6.1CVSS3.1AI score0.01008EPSS
Exploits0
Atlassian
Atlassian
added 2018/08/15 1:1 a.m.34 views

The acceptAnswer resource of Confluence Questions was vulnerable to CSRF - CVE-2018-13394

The acceptAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to make a user accept an answer via a Cross-site request forgery CSRF vulnerability...

6.5CVSS6AI score0.00841EPSS
Exploits0
Atlassian
Atlassian
added 2018/02/22 5:24 a.m.34 views

The bundled Atlassian Application Links plugin had various XSS issues - CVE-2018-5227

The version of the bundled Atlassian Application Links plugin was vulnerable to XSS. See https://ecosystem.atlassian.net/browse/APL-1361 for more details...

4.8CVSS2.1AI score0.00635EPSS
Exploits0
Atlassian
Atlassian
added 2018/01/17 2:15 a.m.34 views

Server Side Request Forgery(SSRF) in the Jira Trello importer - CVE-2017-16865

The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery SSRF. When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access...

5.3CVSS5.5AI score0.00689EPSS
Exploits0
Atlassian
Atlassian
added 2017/08/02 11:27 a.m.34 views

Move sensitive information out of Synchrony JVM arguments

h3. Issue Running Synchrony as a stand-alone service for data center instances exposes sensitive information such as the database username/password, and public/private keys. These are all passed as JVM arguments. This means anyone with command-line access to the server can see this information vi...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/02/13 4:43 a.m.34 views

Multiple Vulnerabilities in JIRA Workflow Servlet

||Affected Versions|| |4.2.4 = version 6.3.0| An anonymous user can perform multiple attacks on a vulnerable JIRA instance that could cause remote code execution, the disclosure of private files or execute a denial of service attack against the JIRA server. This vulnerability is caused by the way...

9.8CVSS9.1AI score0.16239EPSS
Exploits1
Atlassian
Atlassian
added 2016/09/26 7:5 a.m.34 views

CVE-2016-6496: LDAP Java Object Injection in Crowd

The Crowd LDAP directory connector allowed an attacker to gain remote code execution in Crowd by injecting malicious attributes in LDAP entries. To exploit this issue, attackers need to modify an entry in your LDAP directory or successfully execute a Man-in-The-Middle attack between an LDAP serve...

9.8CVSS2.5AI score0.04705EPSS
Exploits0
Atlassian
Atlassian
added 2016/09/12 6:27 a.m.34 views

CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

The HipChat for JIRA plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your JIRA instance you must have a HipChat integration established. To exploit this issue in JIRA versions 7.0.0 and higher, attackers need to...

7.5CVSS1AI score0.03743EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/02/26 7:31 a.m.34 views

JQL filter for Webhooks doesn't work correctly when "Comment" and "Worklog" related events are fired - CVE-2017-18104

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-59980. panel h3. Security information The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version...

5.9CVSS5.6AI score0.016EPSS
Exploits1
Atlassian
Atlassian
added 2016/01/12 3:59 a.m.34 views

CVE-2015-8360: Deserialisation Resulting in Remote Code Execution Vulnerability

Bamboo had a resource that deserialised arbitrary user input without restriction. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. To exploit this issue, attackers need to be able to access the Bamboo JMS port port 5466...

9.8CVSS9.2AI score0.02976EPSS
Exploits0
Atlassian
Atlassian
added 2015/10/05 10:0 p.m.34 views

Cross-Site Scripting in subscribetocalendar.action

The contents of the 'subCalendarId' parameter is not validated in POST requests to 'subscribetocalendar.action' and is susceptible to cross-site scripting. Steps to Reproduce: Start a proxy tool such as Burp Suite. Log into a Confluence instance with Team Calendars installed. Use the proxy tool t...

Exploits0Affected Software1
Atlassian
Atlassian
added 2014/06/26 7:39 p.m.34 views

Update Tomcat Native DLL in JIRA Installer

quote 7 new vulnerabilities were announced for OpenSSL on 5 June 2014. These vulnerabilities affect Tomcat Native, which ships with the Windows Installer versions of JIRA. So please update your JIRA Windows Installers to include a patched version of Tomcat Native DLL's, once these become availabl...

2.3AI score0.99999EPSS
Exploits88Affected Software1
Atlassian
Atlassian
added 2014/06/24 5:47 a.m.34 views

Remote DoS Exploit on JIRA

An attacker is able to perform the billion laughs attack on a default JIRA installation including OnDemand installations. This attack can be executed without authentication and leads to the complete use of resources on the victim machine causing the server to crash or hang. It is possible due to...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/08/30 6:26 p.m.34 views

/rest/menu/1.0/appswitcher displays data unauthenticated

"Calling" this function returns data without any authentication required: noformat curl https://support.atlassian.com/rest/menu/latest/appswitcher | python -mjson.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 787 0 787 0 0 531 0...

7.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/06/26 9:6 a.m.34 views

View Content Permission Set not Complete.

The Content Permission Set returned from the method getViewContentPermissions is incomplete. It appears to only contain a single ContentPermission object regardless of how many View permisisons have been attached to a Page. 1 Create a new page 2 Assign a View restriction for 1 group 3 Assign View...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/02/15 3:28 p.m.34 views

Grant "Browse Project" permission to "Current Assignee" makes project visible to all users

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report|http://jira.atlassian.com/browse/JRASERVER-31720. panel panel:title=Status Update|borderStyle=solid|borderColor=ff7f7f|titleBGColor=ff7f7f|bgColor=e5e5e5 Hi everyone, We have reviewed...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/02/06 8:21 p.m.34 views

Comment field on GH cards do not respect the comment visibility.

If you add the Comment field on any Issue Views on GH the field shows the latest comment but it doesn't inherit the comment visibility from Jira. This misbehaviour happens on Planning board and Task board with any GH views Summaries, Cards and Lists. Steps to Reproduce: Add the comment field to a...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/07/28 4:34 p.m.34 views

NullPointerException when Switching between Projects or Boards

In my case, the WEB-INF/classes/log4j.properties included has these loggers turned off, but they still seem to run. I am including a patch that ignores the NullPointerException following the pattern of ignoring the ClassNotFoundException. Details below taken from:...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/09/02 3:54 p.m.34 views

"User Custom Field Value" permission type incorrectly exposes JIRA project names to everyone

Problem: Project names are shown to users with no permission to see the project. Impact: Security hole! Recipe: it helps to have two browsers open one logged in as admin the other as the user I will create called dummy Add user dummy Add project blah Add custom field myuser of type user picker,...

6.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/02/01 12:29 p.m.34 views

Project name that contains double-quote is not properly escaped on Issue Navigator page

If a project has a double-quote in its name, it's not xml-escaped when used in "title" attribute. For example, if we have a project named 14" monitors, the html will look like: 14" monitors This causes JIRA Client to hiccup on this page and lose a lot of functionality. On web browser, the title i...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/30 6:32 p.m.34 views

"Current Assignee" on Browse Permission problem

I have created a permission scheme in Jira but I am experiencing an odd behaviour. I have 5 users in Jira and in the permission scheme, the Browse Projects is assigned to: - Project Lead - Project Role Administrators - Project Role Clients Among the 5 users, 3 fit these categories. One is a proje...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/02/03 2:54 a.m.34 views

Obscure email addresses in Confluence Mail

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-2677. panel Just noticed that http://confluence.atlassian.com/spaces/viewmailarchive.action?key=DOC is showing my full email...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2025/04/08 1:18 a.m.33 views

DoS (Denial of Service) net.minidev:json-smart Dependency in Jira Service Management Data Center and Server

This High severity net.minidev:json-smart Dependency vulnerability was introduced in versions 5.12.4, 5.13.0, 5.14.0, 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Service Management Data Center and Server. This net.minidev:json-smart Dependency vulnerability,...

7.5CVSS7AI score0.01119EPSS
Exploits1
Atlassian
Atlassian
added 2024/11/29 5:45 p.m.33 views

com.hazelcast:hazelcast Dependency in Bitbucket Data Center and Server

This High severity com.hazelcast:hazelcast Dependency vulnerability was introduced in versions 7.21.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0-eap01, 8.15.0, 8.16.0, 8.17.0, and 8.18.0 of Bitbucket Data Center and Server. This com.hazelcast:hazelcas...

7.6CVSS6.2AI score0.00503EPSS
Exploits0
Atlassian
Atlassian
added 2024/11/14 7:12 a.m.33 views

org.springframework:spring-webmvc Dependency in Bitbucket Data Center and Server

This High severity org.springframework:spring-webmvc Dependency vulnerability was introduced in versions 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0, 8.15.0, 8.16.0, 8.17.0, and 8.18.0 of Bitbucket Data Center and Server. This org.springframework:spring-webmvc Dependency...

7.5CVSS6.7AI score0.14718EPSS
Exploits1
Atlassian
Atlassian
added 2024/11/04 11:11 p.m.33 views

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency in Crowd Data Center and Server

This High severity org.apache.tomcat:tomcat-coyote Dependency vulnerability was introduced in versions 5.1.0, 5.2.0, and 5.3.0 of Crowd Data Center and Server. This org.apache.tomcat:tomcat-coyote Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.2AI score0.23072EPSS
Exploits1
Atlassian
Atlassian
added 2024/10/16 8:11 p.m.33 views

DoS (Denial of Service) com.nimbusds:nimbus-jose-jwt Dependency in Jira Service Management Data Center and Server

This High severity com.nimbusds:nimbus-jose-jwt Dependency vulnerability was introduced in versions 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0, 5.13.0 and 5.14.0 of Jira Service Management Data Center and Server. This com.nimbusds:nimbus-jose-jwt...

7.5CVSS7.4AI score0.00814EPSS
Exploits0
Atlassian
Atlassian
added 2024/09/23 4:18 a.m.33 views

RCE (Remote Code Execution) in Sourcetree for Mac and Sourcetree for Windows

This High severity RCE Remote Code Execution vulnerability was introduced in versions 4.2.8 of Sourcetree for Mac and 3.4.19 for Sourcetree for Windows. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.8, allows an unauthenticated attacker to execute arbitrary code which has...

8.8CVSS8.2AI score0.00714EPSS
Exploits0
Atlassian
Atlassian
added 2024/09/20 8:47 a.m.33 views

BASM (Broken Authentication & Session Management) browserify-sign Dependency in Confluence Data Center

This High severity BASM Broken Authentication & Session Management vulnerability was introduced in version 7.11 of Confluence Data Center. This BASM Broken Authentication & Session Management vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to exploit a cryptographic...

7.5CVSS7.1AI score0.00508EPSS
Exploits0
Atlassian
Atlassian
added 2024/09/10 1:15 a.m.33 views

DoS (Denial of Service) org.apache.cxf:cxf-rt-rs-security-jose Dependency in Bitbucket Data Center and Server

This High severity org.apache.cxf:cxf-rt-rs-security-jose Dependency vulnerability was introduced in versions 8.9.0, 8.18.0, and 8.19.0 of Bitbucket Data Center and Server. This org.apache.cxf:cxf-rt-rs-security-jose Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7AI score0.01269EPSS
Exploits0
Atlassian
Atlassian
added 2024/08/28 4:11 p.m.33 views

DoS (Denial of Service) org.apache.commons:commons-configuration2 Dependency in Confluence Data Center and Server

This High severity org.apache.commons:commons-configuration2 Dependency vulnerability was introduced in versions 6.0 of Confluence Data Center and Server. This org.apache.commons:commons-configuration2 Dependency vulnerability, with a CVSS Score of 7.3 and a CVSS Vector of...

7.3CVSS7.7AI score0.02054EPSS
Exploits0
Atlassian
Atlassian
added 2024/04/09 1:51 a.m.33 views

Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and Server

This High severity com.fasterxml.jackson.core:jackson-databind Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.0 of Crowd Data Center and Server. This com.fasterxml.jackson.core:jackson-databind Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of...

8.8CVSS7AI score0.03489EPSS
Exploits0
Atlassian
Atlassian
added 2022/09/06 6:48 p.m.33 views

Reset password function leaks information that can be used to harvest accounts

h3. Issue Summary When hitting the resetuserpassword.action URL directly with a username value, it's possible to identify valid users through the responses given by Confluence. The response for a valid user differs from the response for an invalid user. This is an issue as a malicious entity can...

0.5AI score
Exploits0
Atlassian
Atlassian
added 2022/07/15 8:57 p.m.33 views

Jira Align - Improper Authorization in MasterUserEdit API - CVE-2022-36803

The MasterUserEdit API in Atlassian Jira Align before version 10.109.2 allows an authenticated attacker with the People role permission can use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox. Affected versions: versi...

8.8CVSS8AI score0.00555EPSS
Exploits0
Atlassian
Atlassian
added 2021/10/07 12:6 p.m.33 views

Local File Dislocusure to Browse All Files in /atlassian-bamboo

This vulnerability affects certain versions of Atlassian Bamboo. Attacker can craft URL to browse all files inside /atlassian-bamboo at Bamboo installation folder, which includes files at WEB-INF folder...

4.3AI score
Exploits0
Atlassian
Atlassian
added 2021/09/15 1:19 a.m.33 views

Access-revoked user can view audit logs of Jira Projects - CVE-2021-41309

Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user's Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The...

5.3CVSS5.8AI score0.00804EPSS
Exploits0
Atlassian
Atlassian
added 2021/04/14 2:32 a.m.33 views

Full path information disclose via invalid filename error message - CVE-2021-26075

The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated attackers to obtain the full path of the Jira application data directory via an...

4.3CVSS4.5AI score0.0161EPSS
Exploits0
Atlassian
Atlassian
added 2021/03/01 8:35 p.m.34 views

Blind SSRF in widgetConnector - CVE-2021-26072

Affected versions of Atlassian Confluence Server allow remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery SSRF vulnerability in the widgetconnector plugin. When running in an environment like Amazon EC2, this flaw may be used to access...

4.3CVSS2.8AI score0.38845EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/02/04 1:15 a.m.33 views

Custom field options are exposed via an unauthenticated REST API endpoint - CVE-2020-36237

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0. Affected versions: version...

5.3CVSS5.4AI score0.01244EPSS
Exploits0
Atlassian
Atlassian
added 2021/01/19 10:18 p.m.33 views

Project enumeration via Jira Projects plugin report page - CVE-2020-29451

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate Jira projects via an Information Disclosure vulnerability in the Jira Projects plugin report page. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version...

4.3CVSS4.8AI score0.00846EPSS
Exploits0
Atlassian
Atlassian
added 2020/11/04 7:26 a.m.33 views

User has access to project and repository after global permission has been removed

h3. Problem User has access to project and repository after global permission has been removed. Conversely, a user in this affected state will be greeted with "permission denied" even after the global permission has been re-granted to the user. h3. Environment - Tested on 7.5 and 7.3 h3. Steps to...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/10/05 8:20 p.m.33 views

SEN disclosure via HTTP Response headers - CVE-2020-14183

Affected versions of Jira Server & Data Center allow a remote attacker with limited non-admin privileges to view a Jira instance's Support Entitlement Number SEN via an Information Disclosure vulnerability in the HTTP Response headers. Affected versions: version 7.13.18 8.0.0 ≤ version 8.5.9 8.6....

4.3CVSS4.3AI score0.01287EPSS
Exploits0
Atlassian
Atlassian
added 2020/06/18 2:45 a.m.33 views

XSS in API and Integrations - CVE-2020-14166

Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in API and Integrations. Affected versions: version 4.10.0 Fixed versions: 4.10.0...

4.8CVSS5.6AI score0.0194EPSS
Exploits3
Atlassian
Atlassian
added 2020/06/02 3:23 p.m.33 views

Velocity Template Injection in Custom user macros - Macros Platform - CVE-2020-4027

Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. This issue was discovered and reported by GHSL team member...

6.5CVSS5.6AI score0.01515EPSS
Exploits0
Atlassian
Atlassian
added 2020/05/28 5:26 a.m.33 views

XSS in the review coverage resource through the committerFilter parameter- CVE-2020-4023

The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting XSS vulnerability through the committerFilter parameter. Affected versions: version 4.8.2 Fixed versions: 4.8.2 4.9.0...

5.4CVSS5.1AI score0.00772EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/16 6:36 p.m.33 views

XSS in the review resource through objectives - CVE-2020-4013

The review resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting XSS vulnerability through the review objectives...

5.4CVSS5.1AI score0.00628EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/08 3:20 a.m.33 views

Information Disclosure in comment restriction feature - CVE-2019-20410

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. Affected versions: version 7.6.17 7.7.0 ≤ version 7.13.9 8.0.0 ≤ version 8.4.2 Fixed versions: 7.6.17...

6.5CVSS5.7AI score0.01864EPSS
Exploits0
Total number of security vulnerabilities4295