Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2011/05/03 10:17 a.m.33 views

websudo does not work with Confluence when it's integrated with Crowd SSO

h5. Steps to reproduce Integrate with Crowd with SSO|http://confluence.atlassian.com/display/DOC/Connecting+to+Crowd+or+JIRA+for+User+Management Go to Confluence Admin, it does not prompt to enter password websudo Go to Security Configuration. Note that it will look something like this:...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2011/02/22 9:55 p.m.33 views

Remember Me filter not working for FishEye/Crucible

The current implementation of the FishEye filter still require that the Remember Me cookie have the encrypted credentials for the user, what is no longer true as that pose a major security vulnerability. The filter should rely on the JIRA Remember Me funcionality. If the user logged in using the...

1.6AI score
Exploits0
Atlassian
Atlassian
added 2010/08/06 1:53 a.m.33 views

Replace unsafe text gadget and add to JIRA Cloud

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-21965. panel panel:title=Atlassian Update - 23 April 2015|borderStyle=solid|borderColor=ebf2f9|titleBGColor=ebf2f9|bgColor=ffffff Hi everyone...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/06/25 3:40 p.m.33 views

Malicious File Upload

The application server accepted a vbscript file, an HTML file containing JavaScript, and the EICAR test virus as allowed attachments. This means that an attacker could submit a malicious file to the backend, where the file might be launched by another internal RIM employee if they click and open...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/10/20 8:13 a.m.33 views

XSS bug in wiki markup link rendering

The following wikimarkup creates links with an onclick event. noformat test link|mailto:[email protected]" onclick="alert'hi. I am a fun onclick event' test link|mailto:[email protected]" onclick="alert'hi. I am a fun onclick event' noformat This is due to the following code in...

1AI score
Exploits0
Atlassian
Atlassian
added 2007/10/15 12:17 a.m.33 views

IssueLevelSecurity permission check does not work with a DocumentIssueImpl if no security level has been set.

We need to be able to handle per issue permission checks, if no issue security level has been set. The problem is that if no issue level security is set, -1 gets indexed. The permissions code however expects a null value...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/30 6:32 p.m.33 views

"Current Assignee" on Browse Permission problem

I have created a permission scheme in Jira but I am experiencing an odd behaviour. I have 5 users in Jira and in the permission scheme, the Browse Projects is assigned to: - Project Lead - Project Role Administrators - Project Role Clients Among the 5 users, 3 fit these categories. One is a proje...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/12/01 11:15 p.m.33 views

Manage authentication for NTLM proxies

We want to access RRS content internally, but we are using a secured proxy requiring authentication via NTLM or user/password. We setted up the standard Java proxies properties: http.proxyHost, http.proxyPort and http.auth.ntlm.domain. But it seams that the http.auth.ntlm.domain properties does n...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2002/04/09 2:39 p.m.33 views

Asked to re-authenticate to delete issue

/jira/secure/DeleteIssue!default.jspa?id=10012 everything seems to work ok, but I try to delete previously existing issue and I get redirected to the URL above. instead of a delete issue page, I get a login page, only it looks messed up - it's the login form table miniwindow except spread 100%...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/05/12 12:31 a.m.32 views

RCE (Remote Code Execution) at mchange-commons-java dependency in Bamboo Data Center

This High severity RCE Remote Code Execution vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.9 and a CVSS Vector of...

9.8CVSS6.3AI score0.00812EPSS
Exploits1
Atlassian
Atlassian
added 2025/04/08 1:18 a.m.32 views

DoS (Denial of Service) net.minidev:json-smart Dependency in Jira Service Management Data Center and Server

This High severity net.minidev:json-smart Dependency vulnerability was introduced in versions 5.12.4, 5.13.0, 5.14.0, 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Service Management Data Center and Server. This net.minidev:json-smart Dependency vulnerability,...

7.5CVSS7AI score0.01119EPSS
Exploits1
Atlassian
Atlassian
added 2024/11/14 7:12 a.m.32 views

org.springframework:spring-webmvc Dependency in Bitbucket Data Center and Server

This High severity org.springframework:spring-webmvc Dependency vulnerability was introduced in versions 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0, 8.15.0, 8.16.0, 8.17.0, and 8.18.0 of Bitbucket Data Center and Server. This org.springframework:spring-webmvc Dependency...

7.5CVSS6.7AI score0.14718EPSS
Exploits1
Atlassian
Atlassian
added 2024/11/04 11:11 p.m.32 views

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency in Confluence Data Center and Server

This High severity org.apache.tomcat:tomcat-coyote Dependency vulnerability was introduced in versions 6.5 of Confluence Data Center and Server. This org.apache.tomcat:tomcat-coyote Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:...

7.5CVSS7.3AI score0.23072EPSS
Exploits1
Atlassian
Atlassian
added 2024/10/16 8:11 p.m.32 views

DoS (Denial of Service) com.nimbusds:nimbus-jose-jwt Dependency in Jira Service Management Data Center and Server

This High severity com.nimbusds:nimbus-jose-jwt Dependency vulnerability was introduced in versions 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0, 5.13.0 and 5.14.0 of Jira Service Management Data Center and Server. This com.nimbusds:nimbus-jose-jwt...

7.5CVSS7.4AI score0.00814EPSS
Exploits0
Atlassian
Atlassian
added 2024/09/23 4:18 a.m.32 views

RCE (Remote Code Execution) in Sourcetree for Mac and Sourcetree for Windows

This High severity RCE Remote Code Execution vulnerability was introduced in versions 4.2.8 of Sourcetree for Mac and 3.4.19 for Sourcetree for Windows. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.8, allows an unauthenticated attacker to execute arbitrary code which has...

8.8CVSS8.2AI score0.00714EPSS
Exploits0
Atlassian
Atlassian
added 2024/09/20 8:47 a.m.32 views

BASM (Broken Authentication & Session Management) browserify-sign Dependency in Confluence Data Center

This High severity BASM Broken Authentication & Session Management vulnerability was introduced in version 7.11 of Confluence Data Center. This BASM Broken Authentication & Session Management vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to exploit a cryptographic...

7.5CVSS7.1AI score0.00508EPSS
Exploits0
Atlassian
Atlassian
added 2024/09/10 1:15 a.m.32 views

DoS (Denial of Service) org.apache.cxf:cxf-rt-rs-security-jose Dependency in Bitbucket Data Center and Server

This High severity org.apache.cxf:cxf-rt-rs-security-jose Dependency vulnerability was introduced in versions 8.9.0, 8.18.0, and 8.19.0 of Bitbucket Data Center and Server. This org.apache.cxf:cxf-rt-rs-security-jose Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7AI score0.01269EPSS
Exploits0
Atlassian
Atlassian
added 2023/07/06 7:54 a.m.32 views

Using the Jira Python library to make REST API calls with cookie auth bypasses Jira rate limiting

h3. Issue Summary When using the open-source Jira Python library|https://github.com/pycontribs/jira to make REST API calls to Jira, if cookie-based authentication|https://jira.readthedocs.io/examples.htmlcookie-based-authentication is used then Jira's rate limits will be bypassed. This can result...

6.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/08/25 1:6 a.m.32 views

Denial of Service when reading particularly-crafted GIF files - CVE-2021-39116

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the GIF Image Reader component. The affected versions are before version 8.13.14, and from version 8.14.0 before 8.19.0. Affected...

5.5CVSS5.4AI score0.01066EPSS
Exploits0
Atlassian
Atlassian
added 2021/05/07 12:16 a.m.32 views

XSS in fieldID - CVE 2021-26079

The CardLayoutConfigTable component in Jira Server and Jira Data Center before version 8.5.15, and from version 8.6.0 before version 8.13.7, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability. Affected...

6.1CVSS5.7AI score0.01237EPSS
Exploits0
Atlassian
Atlassian
added 2021/04/14 2:32 a.m.32 views

Full path information disclose via invalid filename error message - CVE-2021-26075

The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated attackers to obtain the full path of the Jira application data directory via an...

4.3CVSS4.5AI score0.0161EPSS
Exploits0
Atlassian
Atlassian
added 2021/01/06 11:46 p.m.32 views

DoS by uploading a lot of data for avatars in Confluence - CVE-2020-29450

Affected versions of Atlassian Confluence Server allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the avatar upload feature in Confluence. The affected versions are before version 7.2.0. Affected versions: version 7.2.0 Fixed versions:...

6.5CVSS6.3AI score0.02214EPSS
Exploits0
Atlassian
Atlassian
added 2020/11/19 12:10 a.m.32 views

A user-supplied regex in EyeQL causes ReDoS - CVE-2020-14190

Affected version of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fixed versions: 4.8.4 4.9.0...

7.5CVSS7.3AI score0.01212EPSS
Exploits0
Atlassian
Atlassian
added 2020/10/06 10:57 p.m.32 views

XSS in Jira issue filter export file via malicious full name - CVE-2020-14184

Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in Jira issue filter export files. The affected versions are before version 8.5.9, from version 8.6.0 before 8.12.3, and from version 8.13.0 before...

5.4CVSS3.7AI score0.00932EPSS
Exploits0
Atlassian
Atlassian
added 2020/06/16 2:46 a.m.32 views

XSS in WYSIWYG editor via pasted code - CVE-2020-14164

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the WYSIWYG editor. The affected versions are before 8.5.9, and from version 8.6.0 before 8.8.2. Affected versions: version...

6.1CVSS4.8AI score0.00732EPSS
Exploits0
Atlassian
Atlassian
added 2020/05/29 5:18 a.m.32 views

XSS in Issue - Attachments - CVE-2020-4024

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability issue attachments with a vnd.wap.xhtml+xml content type. Affected versions: version 8.5.5 8.6.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9...

5.4CVSS5.2AI score0.00926EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/16 6:55 p.m.32 views

Improper authorization vulnerablity in the /profile/deleteWatch.do resource- CVE-2020-4014

The /profile/deleteWatch.do resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to remove another user's watching settings for a repository via an improper authorization vulnerability...

4.3CVSS5.1AI score0.00765EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/02 4:28 a.m.32 views

Stored XSS in Add Field module - CVE-2019-20900

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the Add Field module. Affected versions: version 8.7.0 Fixed versions: 8.7.0...

4.8CVSS5AI score0.00918EPSS
Exploits0
Atlassian
Atlassian
added 2020/02/05 4:2 p.m.32 views

CSRF in VerifySmtpServerConnection!add.jspa - CVE-2019-20098

The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery CSRF. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumera...

4.3CVSS5AI score0.00815EPSS
Exploits1
Atlassian
Atlassian
added 2020/01/30 10:24 p.m.32 views

JMX monitoring flag in Jira was vulnerable to XSRF/CSRF - CVE-2019-20405

The JMX monitoring flag in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to turn the JMX monitoring flag off or on via a Cross-site request forgery CSRF vulnerability...

4.3CVSS5.1AI score0.00552EPSS
Exploits0
Atlassian
Atlassian
added 2020/01/23 1:36 a.m.32 views

Improper Authorization in Applinks - CVE-2019-20105

The Application links plugin used in Atlassian Jira Server and Data Center before version 7.13.12, from version 8.0.0 before version 8.5.4 and from version 8.6.0 before version 8.6.1 allows remote attackers with administrator privileges to edit existing applinks without passing WebSudo via an...

4.9CVSS5.5AI score0.01487EPSS
Exploits0
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.32 views

Information disclosure in the listEntityLinks servlet resource - CVE-2019-15011

The version of the Application Links plugin used in Crowd before version 3.3.5, and from version 3.4.0 before version 3.4.4 allows remote attackers to obtain information about configured application links via a missing permissions check. See https://ecosystem.atlassian.net/browse/APL-1386 for mor...

4.3CVSS3AI score0.00915EPSS
Exploits0
Atlassian
Atlassian
added 2019/12/10 2:38 a.m.32 views

Improper authorization vulnerability in the /json/profile/removeStarAjax.do resource - CVE-2019-15009

The /json/profile/removeStarAjax.do resource in Atlassian Fisheye before version 4.8.0 allows remote attackers to remove another user's favourite setting for a project via an improper authorization vulnerability...

4.3CVSS6.2AI score0.00732EPSS
Exploits0
Atlassian
Atlassian
added 2019/12/10 2:38 a.m.32 views

Improper authorization vulnerability in the /json/profile/removeStarAjax.do resource - CVE-2019-15009

The /json/profile/removeStarAjax.do resource in Atlassian Fisheye before version 4.8.0 allows remote attackers to remove another user's favourite setting for a project via an improper authorization vulnerability...

4.3CVSS6.2AI score0.00732EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/10 2:3 a.m.32 views

XSS in the the review resource through the name of a missing branch - CVE-2019-15007

The review resource in Atlassian Fisheye before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the name of a missing branch...

4.8CVSS4.2AI score0.00596EPSS
Exploits0
Atlassian
Atlassian
added 2019/08/09 3:51 a.m.32 views

The AddResolution.jspa resource was vulnerable to CSRF - CVE-2019-11586

The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery CSRF vulnerability...

4.3CVSS6.1AI score0.00647EPSS
Exploits0
Atlassian
Atlassian
added 2019/05/09 2:50 p.m.32 views

Ability to have the Websudo functionality working with SAML / SSO

h3. Problem Definition When implementing SAML either through JDC or through a vendor plugin, the net result is you have to turn off websudo because you can't get websudo and SAML to work. The effect is you can go straight into administration functions without confirmation that you should. This...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/04/18 1:28 a.m.32 views

Bitbucket Data Center - Path traversal in the migration tool leads to RCE - CVE-2019-3397

h3. Issue Summary Bitbucket Data Center had a path traversal vulnerability in the Data Center migration tool. A remote attacker with authenticated user with admin permissions can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code executio...

9.1CVSS1.4AI score0.05057EPSS
Exploits1
Atlassian
Atlassian
added 2018/08/27 6:17 a.m.32 views

XSS in various resources when moving issues through the Epic Colour field of an issue - CVE-2018-13395

Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML ...

6.1CVSS3.1AI score0.01008EPSS
Exploits0
Atlassian
Atlassian
added 2018/08/15 12:44 a.m.32 views

The convertCommentToAnswer resource of Confluence Questions was vulnerable to CSRF - CVE-2018-13393

The convertCommentToAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to make a user modify a comment into an answer via a Cross-site request forge...

6.5CVSS5.9AI score0.008EPSS
Exploits0
Atlassian
Atlassian
added 2018/08/07 4:20 a.m.32 views

The bundled Atlassian Universal Plugin Manager plugin had a XXE issue - CVE-2018-20233

The version of the bundled Atlassian Universal Plugin Manager plugin had a XML External Entity vulnerability that allowed remote attackers with system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in t...

6.5CVSS3.7AI score0.01818EPSS
Exploits0
Atlassian
Atlassian
added 2018/02/02 12:12 a.m.32 views

Content spoofing in the attachment resource in the Firefox browser - CVE-2018-13389

The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of application/rdf+xml...

4.7CVSS5.1AI score0.00998EPSS
Exploits0
Atlassian
Atlassian
added 2018/01/18 10:54 a.m.32 views

Missing permission check in review coverage REST endpoint - CVE-2017-18035

The /rest/review-coverage-chart/1.0/data//.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistic...

4.3CVSS5.1AI score0.00803EPSS
Exploits0
Atlassian
Atlassian
added 2017/12/05 4:13 a.m.32 views

XSS through various RSS properties in the RSS macro - CVE-2017-16856

The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross site scripting XSS vulnerabilities in various rss properties which were used as links without restriction on their scheme. h5. Acknowledgements Atlassian would...

6.1CVSS2.3AI score0.00809EPSS
Exploits0
Atlassian
Atlassian
added 2017/10/17 2:8 p.m.32 views

Contributors Summary Macro Shows Data to Anonymous Users

h2. Steps to reproduce In Global Permission, ensure Anonymous users "Can Use" Confluence Create new Space , eg: SpaceA Go To Space Tools Permissions Edit Permission Ensure Anonymous Users has "View" Permission Create a few test pages in SpaceA Then, create a page containing both Contributors Macr...

6.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/08/30 2:6 a.m.32 views

The bundled Atlassian OAuth plugin allows arbitrary HTTP requests to be proxied - CVE-2017-9506

The version of the bundled Atlassian OAuth plugin was vulnerable to Server Side Request Forgery SSRF. This allowed a XSS and or a SSRF attack to be performed. More information about the Atlassian OAuth plugin issue see https://ecosystem.atlassian.net/browse/OAUTH-344 . When running in an...

6.1CVSS1AI score0.71601EPSS
Exploits1
Atlassian
Atlassian
added 2017/06/08 2:49 a.m.32 views

Access Restriction Bypass using watch notifications (CVE-2017-9505)

Confluence did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it...

4.3CVSS1.1AI score0.01264EPSS
Exploits1
Atlassian
Atlassian
added 2017/04/05 12:43 a.m.32 views

Unauthenticated users can view the content of Confluence blogs and pages (CVE-2017-7415)

The Confluence drafts diff rest resource made the current content of all blogs and pages in Confluence available without authentication by providing a page id or draft id. Attackers who can access the Confluence web interface of a vulnerable version can use this vulnerability to obtain the conten...

7.5CVSS1.2AI score0.04351EPSS
Exploits2
Atlassian
Atlassian
added 2017/03/13 4:15 a.m.32 views

Restricted Work Log entries show in the Activity Stream for JIRA Cloud

h3. Summary When using a group comment visibility on worklogs the restriction is not applied in the Activity Stream. h3. Steps to Reproduce Set up a test user JIRA Users. Enable comment visibility to support groups as per Configuring JIRA...

2.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/13 4:59 a.m.32 views

The Confluence Login page should not gives details of build version to unauthenticated users

The login page discloses detailed version information of the application to unauthenticated users. !screenshot-1.png|thumbnail! This information facilitates finding vulnerabilities for possible attackers suggestion: Remove the build number completely in the login page...

2.4AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295