Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2016/01/12 3:59 a.m.34 views

CVE-2015-8360: Deserialisation Resulting in Remote Code Execution Vulnerability

Bamboo had a resource that deserialised arbitrary user input without restriction. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. To exploit this issue, attackers need to be able to access the Bamboo JMS port port 5466...

9.8CVSS9.2AI score0.02976EPSS
Exploits0
Atlassian
Atlassian
added 2015/10/05 10:0 p.m.34 views

Cross-Site Scripting in subscribetocalendar.action

The contents of the 'subCalendarId' parameter is not validated in POST requests to 'subscribetocalendar.action' and is susceptible to cross-site scripting. Steps to Reproduce: Start a proxy tool such as Burp Suite. Log into a Confluence instance with Team Calendars installed. Use the proxy tool t...

Exploits0Affected Software1
Atlassian
Atlassian
added 2014/06/24 5:47 a.m.34 views

Remote DoS Exploit on JIRA

An attacker is able to perform the billion laughs attack on a default JIRA installation including OnDemand installations. This attack can be executed without authentication and leads to the complete use of resources on the victim machine causing the server to crash or hang. It is possible due to...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/08/30 6:26 p.m.34 views

/rest/menu/1.0/appswitcher displays data unauthenticated

"Calling" this function returns data without any authentication required: noformat curl https://support.atlassian.com/rest/menu/latest/appswitcher | python -mjson.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 787 0 787 0 0 531 0...

7.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/07/17 12:10 a.m.34 views

Able to create a repository from Source Tree on a Stash project on which i do not have 'admin' access

Able to create a repository from Source Tree on a Stash project on which i do not have 'admin' access. On Stash, only admin access will have option to create repositories, however Source Tree allows users to create repository on a Stash project where users have only 'write' access. This is a majo...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/06/26 9:6 a.m.34 views

View Content Permission Set not Complete.

The Content Permission Set returned from the method getViewContentPermissions is incomplete. It appears to only contain a single ContentPermission object regardless of how many View permisisons have been attached to a Page. 1 Create a new page 2 Assign a View restriction for 1 group 3 Assign View...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/02/15 3:28 p.m.34 views

Grant "Browse Project" permission to "Current Assignee" makes project visible to all users

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report|http://jira.atlassian.com/browse/JRASERVER-31720. panel panel:title=Status Update|borderStyle=solid|borderColor=ff7f7f|titleBGColor=ff7f7f|bgColor=e5e5e5 Hi everyone, We have reviewed...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/12/17 7:35 p.m.34 views

Encrypt Database Password in dbconfig.xml or use integrated authentication

panel:title=Atlassian Update – 5 January 2016|borderStyle=solid|borderColor=ebf2f9 | titleBGColor=ebf2f9 | bgColor=ffffff Hi everyone, Thanks for voting and commenting on this issue. While we understand the importance of this issue for our customers with strict password encryption requirements, w...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/02/06 8:21 p.m.34 views

Comment field on GH cards do not respect the comment visibility.

If you add the Comment field on any Issue Views on GH the field shows the latest comment but it doesn't inherit the comment visibility from Jira. This misbehaviour happens on Planning board and Task board with any GH views Summaries, Cards and Lists. Steps to Reproduce: Add the comment field to a...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/11/03 1:10 a.m.34 views

Logging event information is not HTML encoded in 500 error page

The Confluence 500 error page lists logging events generated during the request the produced the 500 error page. The strings rendered from this event are not HTML encoded, leaving open a chance for an attacker to exploit this via XSS. I haven't yet investigated to see whether this is actually...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/02/03 2:54 a.m.34 views

Obscure email addresses in Confluence Mail

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-2677. panel Just noticed that http://confluence.atlassian.com/spaces/viewmailarchive.action?key=DOC is showing my full email...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2025/04/08 1:18 a.m.33 views

DoS (Denial of Service) net.minidev:json-smart Dependency in Jira Service Management Data Center and Server

This High severity net.minidev:json-smart Dependency vulnerability was introduced in versions 5.12.4, 5.13.0, 5.14.0, 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Service Management Data Center and Server. This net.minidev:json-smart Dependency vulnerability,...

7.5CVSS7AI score0.01119EPSS
Exploits1
Atlassian
Atlassian
added 2024/11/29 5:45 p.m.33 views

com.hazelcast:hazelcast Dependency in Bitbucket Data Center and Server

This High severity com.hazelcast:hazelcast Dependency vulnerability was introduced in versions 7.21.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0-eap01, 8.15.0, 8.16.0, 8.17.0, and 8.18.0 of Bitbucket Data Center and Server. This com.hazelcast:hazelcas...

7.6CVSS6.2AI score0.00503EPSS
Exploits0
Atlassian
Atlassian
added 2024/11/14 7:12 a.m.33 views

org.springframework:spring-webmvc Dependency in Bitbucket Data Center and Server

This High severity org.springframework:spring-webmvc Dependency vulnerability was introduced in versions 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0, 8.15.0, 8.16.0, 8.17.0, and 8.18.0 of Bitbucket Data Center and Server. This org.springframework:spring-webmvc Dependency...

7.5CVSS6.7AI score0.14718EPSS
Exploits1
Atlassian
Atlassian
added 2024/11/04 11:11 p.m.33 views

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency in Crowd Data Center and Server

This High severity org.apache.tomcat:tomcat-coyote Dependency vulnerability was introduced in versions 5.1.0, 5.2.0, and 5.3.0 of Crowd Data Center and Server. This org.apache.tomcat:tomcat-coyote Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.2AI score0.23072EPSS
Exploits1
Atlassian
Atlassian
added 2024/10/16 8:11 p.m.33 views

DoS (Denial of Service) com.nimbusds:nimbus-jose-jwt Dependency in Jira Service Management Data Center and Server

This High severity com.nimbusds:nimbus-jose-jwt Dependency vulnerability was introduced in versions 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0, 5.13.0 and 5.14.0 of Jira Service Management Data Center and Server. This com.nimbusds:nimbus-jose-jwt...

7.5CVSS7.4AI score0.00814EPSS
Exploits0
Atlassian
Atlassian
added 2024/09/23 4:18 a.m.33 views

RCE (Remote Code Execution) in Sourcetree for Mac and Sourcetree for Windows

This High severity RCE Remote Code Execution vulnerability was introduced in versions 4.2.8 of Sourcetree for Mac and 3.4.19 for Sourcetree for Windows. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.8, allows an unauthenticated attacker to execute arbitrary code which has...

8.8CVSS8.2AI score0.00714EPSS
Exploits0
Atlassian
Atlassian
added 2024/09/20 8:47 a.m.33 views

BASM (Broken Authentication & Session Management) browserify-sign Dependency in Confluence Data Center

This High severity BASM Broken Authentication & Session Management vulnerability was introduced in version 7.11 of Confluence Data Center. This BASM Broken Authentication & Session Management vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to exploit a cryptographic...

7.5CVSS7.1AI score0.00508EPSS
Exploits0
Atlassian
Atlassian
added 2024/09/10 1:15 a.m.33 views

DoS (Denial of Service) org.apache.cxf:cxf-rt-rs-security-jose Dependency in Bitbucket Data Center and Server

This High severity org.apache.cxf:cxf-rt-rs-security-jose Dependency vulnerability was introduced in versions 8.9.0, 8.18.0, and 8.19.0 of Bitbucket Data Center and Server. This org.apache.cxf:cxf-rt-rs-security-jose Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7AI score0.01269EPSS
Exploits0
Atlassian
Atlassian
added 2024/04/09 1:51 a.m.33 views

Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and Server

This High severity com.fasterxml.jackson.core:jackson-databind Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.0 of Crowd Data Center and Server. This com.fasterxml.jackson.core:jackson-databind Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of...

8.8CVSS7AI score0.03489EPSS
Exploits0
Atlassian
Atlassian
added 2022/09/06 6:48 p.m.33 views

Reset password function leaks information that can be used to harvest accounts

h3. Issue Summary When hitting the resetuserpassword.action URL directly with a username value, it's possible to identify valid users through the responses given by Confluence. The response for a valid user differs from the response for an invalid user. This is an issue as a malicious entity can...

0.5AI score
Exploits0
Atlassian
Atlassian
added 2022/07/15 8:57 p.m.33 views

Jira Align - Improper Authorization in MasterUserEdit API - CVE-2022-36803

The MasterUserEdit API in Atlassian Jira Align before version 10.109.2 allows an authenticated attacker with the People role permission can use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox. Affected versions: versi...

8.8CVSS8AI score0.00555EPSS
Exploits0
Atlassian
Atlassian
added 2021/11/02 9:56 a.m.33 views

Upgrade Confluence to latest Adopt OpenJDK versions 11.0.13

h3. Issue Summary Upgrade Confluence to latest Adopt OpenJDK versions 11.0.13...

3.2AI score
Exploits0
Atlassian
Atlassian
added 2021/10/07 12:6 p.m.33 views

Local File Dislocusure to Browse All Files in /atlassian-bamboo

This vulnerability affects certain versions of Atlassian Bamboo. Attacker can craft URL to browse all files inside /atlassian-bamboo at Bamboo installation folder, which includes files at WEB-INF folder...

4.3AI score
Exploits0
Atlassian
Atlassian
added 2021/09/15 1:19 a.m.33 views

Access-revoked user can view audit logs of Jira Projects - CVE-2021-41309

Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user's Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The...

5.3CVSS5.8AI score0.00804EPSS
Exploits0
Atlassian
Atlassian
added 2021/03/01 8:35 p.m.34 views

Blind SSRF in widgetConnector - CVE-2021-26072

Affected versions of Atlassian Confluence Server allow remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery SSRF vulnerability in the widgetconnector plugin. When running in an environment like Amazon EC2, this flaw may be used to access...

4.3CVSS2.8AI score0.38845EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/02/04 1:15 a.m.33 views

Custom field options are exposed via an unauthenticated REST API endpoint - CVE-2020-36237

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0. Affected versions: version...

5.3CVSS5.4AI score0.01244EPSS
Exploits0
Atlassian
Atlassian
added 2021/01/19 10:18 p.m.33 views

Project enumeration via Jira Projects plugin report page - CVE-2020-29451

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate Jira projects via an Information Disclosure vulnerability in the Jira Projects plugin report page. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version...

4.3CVSS4.8AI score0.00846EPSS
Exploits0
Atlassian
Atlassian
added 2020/11/04 7:26 a.m.33 views

User has access to project and repository after global permission has been removed

h3. Problem User has access to project and repository after global permission has been removed. Conversely, a user in this affected state will be greeted with "permission denied" even after the global permission has been re-granted to the user. h3. Environment - Tested on 7.5 and 7.3 h3. Steps to...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/10/05 8:20 p.m.33 views

SEN disclosure via HTTP Response headers - CVE-2020-14183

Affected versions of Jira Server & Data Center allow a remote attacker with limited non-admin privileges to view a Jira instance's Support Entitlement Number SEN via an Information Disclosure vulnerability in the HTTP Response headers. Affected versions: version 7.13.18 8.0.0 ≤ version 8.5.9 8.6....

4.3CVSS4.3AI score0.01287EPSS
Exploits0
Atlassian
Atlassian
added 2020/06/18 2:45 a.m.33 views

XSS in API and Integrations - CVE-2020-14166

Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in API and Integrations. Affected versions: version 4.10.0 Fixed versions: 4.10.0...

4.8CVSS5.6AI score0.0194EPSS
Exploits3
Atlassian
Atlassian
added 2020/06/02 3:23 p.m.33 views

Velocity Template Injection in Custom user macros - Macros Platform - CVE-2020-4027

Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. This issue was discovered and reported by GHSL team member...

6.5CVSS5.6AI score0.01515EPSS
Exploits0
Atlassian
Atlassian
added 2020/05/28 5:26 a.m.33 views

XSS in the review coverage resource through the committerFilter parameter- CVE-2020-4023

The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting XSS vulnerability through the committerFilter parameter. Affected versions: version 4.8.2 Fixed versions: 4.8.2 4.9.0...

5.4CVSS5AI score0.00772EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/05/28 5:26 a.m.33 views

XSS in the review coverage resource through the committerFilter parameter- CVE-2020-4023

The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting XSS vulnerability through the committerFilter parameter. Affected versions: version 4.8.2 Fixed versions: 4.8.2 4.9.0...

5.4CVSS5.1AI score0.00772EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/16 6:36 p.m.33 views

XSS in the review resource through objectives - CVE-2020-4013

The review resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting XSS vulnerability through the review objectives...

5.4CVSS5.1AI score0.00628EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/08 3:20 a.m.33 views

Information Disclosure in comment restriction feature - CVE-2019-20410

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. Affected versions: version 7.6.17 7.7.0 ≤ version 7.13.9 8.0.0 ≤ version 8.4.2 Fixed versions: 7.6.17...

6.5CVSS5.7AI score0.01864EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/08 3:6 a.m.33 views

Improper authentication on Convert Sub-Task to Issue page - CVE-2019-20412

The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names Project Key, if it is part of the workflow name Issue Keys Issue Types Status...

5.3CVSS6.3AI score0.01883EPSS
Exploits0
Atlassian
Atlassian
added 2020/02/04 11:56 p.m.33 views

Confluence on Windows was vulnerable to DLL hijacking - CVE-2019-20406

The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, from version 7.1.0 before version 7.1.1 allows local system attackers who have permission to write a dll file in a directory in the global path environmental variable variable to inject code & escala...

7.8CVSS4.6AI score0.0048EPSS
Exploits0
Atlassian
Atlassian
added 2020/01/23 12:5 a.m.33 views

XXE in OpenID client application - CVE-2019-20104

The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability. This issue was addressed by disabling the OpenID client application in Crowd. Please ...

7.5CVSS3.8AI score0.02434EPSS
Exploits1
Atlassian
Atlassian
added 2019/08/12 2:46 a.m.33 views

CDN caching can lead to leak of user information - CVE-2019-14997

The AccessLogFilter class in Jira before version 8.4.0 allows remote anonymous attackers to learn details about other users, including their username, via an information expose through caching vulnerability when Jira is configured with a reverse Proxy and or a load balancer with caching or a CDN...

4.3CVSS4.7AI score0.01166EPSS
Exploits0
Atlassian
Atlassian
added 2019/04/29 4:15 a.m.33 views

Information disclosure in the BrowseProjects.jspa resource - CVE-2019-3399

The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check...

7.5CVSS7.1AI score0.0205EPSS
Exploits0
Atlassian
Atlassian
added 2019/01/23 5:29 p.m.33 views

Argument Injection via Mercurial hooks in Sourcetree for macOS - CVE-2018-20234

There was an argument injection vulnerability in Sourcetree for macOS via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. Affected versions:...

9CVSS3AI score0.05912EPSS
Exploits0
Atlassian
Atlassian
added 2018/08/07 4:20 a.m.33 views

The bundled Atlassian Universal Plugin Manager plugin had a XXE issue - CVE-2018-20233

The version of the bundled Atlassian Universal Plugin Manager plugin had a XML External Entity vulnerability that allowed remote attackers with system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in t...

6.5CVSS3.7AI score0.01818EPSS
Exploits0
Atlassian
Atlassian
added 2018/07/18 5:49 a.m.33 views

The bundled atlassian-http library had a content spoofing issue - CVE-2017-18103

The version of the bundled atlassian-http library was vulnerable to content-spoofing. See https://jira.atlassian.com/browse/HTTP-3 for more details...

4.7CVSS5.2AI score0.00826EPSS
Exploits0
Atlassian
Atlassian
added 2018/04/04 9:7 p.m.33 views

Confluence error pages should remove stack trace from being output to the UI

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. panel h3. Problem Definition The Confluence error page typically displays "Oops - an error has occurred", it displays System error, the cause, then the stack trace that deals with that error. This is not desirable for all...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2018/02/22 5:24 a.m.33 views

The bundled Atlassian Application Links plugin had various XSS issues - CVE-2018-5227

Application Links needs to be updated see https://ecosystem.atlassian.net/browse/APL-1356. The affected versions of Application Links is/are before version 5.4.4...

4.8CVSS2.1AI score0.00635EPSS
Exploits0
Atlassian
Atlassian
added 2018/02/02 12:12 a.m.33 views

Content spoofing in the attachment resource in the Firefox browser - CVE-2018-13389

The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of application/rdf+xml...

4.7CVSS5.1AI score0.00998EPSS
Exploits0
Atlassian
Atlassian
added 2017/09/12 3:4 p.m.33 views

Authentication fails on UI pull, works in command line.

My password recently changed. I have updated my credentials in the authentication preferences in SourceTree, however UI pulls always fail due to an authentication error, even though my credentials are correct. If I run the exact same command in the terminal, the pull is successful...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/06/28 9:33 a.m.33 views

Add possibility to disable public access to JIRA

As an Administrator I would like to be able to disable public access to JIRA, so the users will have to login before they can browse projects, search issues or navigate to system dashboard. Workaround: In JIRA 7.2.10 the possibility to disable public access for anonymous users was added, however ...

2.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/06/12 2:52 p.m.33 views

Comments from retricted blog post visible for unrestricted user

h5. Summary All comments made before the post restriction changed to "Viewing and editing restricted" will be available to all user in all updates. This is only happening for blog post, and page restriction working as expected. Tested in version 5.9.1customer's version and 6.1.3, same behavious c...

1.3AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295