Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2018/04/04 9:7 p.m.33 views

Confluence error pages should remove stack trace from being output to the UI

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. panel h3. Problem Definition The Confluence error page typically displays "Oops - an error has occurred", it displays System error, the cause, then the stack trace that deals with that error. This is not desirable for all...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2018/02/22 5:24 a.m.33 views

The bundled Atlassian Application Links plugin had various XSS issues - CVE-2018-5227

Application Links needs to be updated see https://ecosystem.atlassian.net/browse/APL-1356. The affected versions of Application Links is/are before version 5.4.4...

4.8CVSS2.1AI score0.00635EPSS
Exploits0
Atlassian
Atlassian
added 2018/02/02 12:12 a.m.33 views

Content spoofing in the attachment resource in the Firefox browser - CVE-2018-13389

The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of application/rdf+xml...

4.7CVSS5.1AI score0.00998EPSS
Exploits0
Atlassian
Atlassian
added 2017/09/12 3:4 p.m.33 views

Authentication fails on UI pull, works in command line.

My password recently changed. I have updated my credentials in the authentication preferences in SourceTree, however UI pulls always fail due to an authentication error, even though my credentials are correct. If I run the exact same command in the terminal, the pull is successful...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/06/28 9:33 a.m.33 views

Add possibility to disable public access to JIRA

As an Administrator I would like to be able to disable public access to JIRA, so the users will have to login before they can browse projects, search issues or navigate to system dashboard. Workaround: In JIRA 7.2.10 the possibility to disable public access for anonymous users was added, however ...

2.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/05/08 5:13 a.m.33 views

Command Injection (CVE-2017-8768)

SourceTree for Mac is affected by a command injection vulnerability in URI handling. The vulnerability can be triggered through a browser or the SourceTree interface. Affected versions: Versions of SourceTree for Mac starting with 1.4.0 before version 2.5.1 are affected by this vulnerability. Fix...

10CVSS3.5AI score0.08262EPSS
Exploits0
Atlassian
Atlassian
added 2017/01/13 4:59 a.m.33 views

The Confluence Login page should not gives details of build version to unauthenticated users

The login page discloses detailed version information of the application to unauthenticated users. !screenshot-1.png|thumbnail! This information facilitates finding vulnerabilities for possible attackers suggestion: Remove the build number completely in the login page...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/01/12 3:54 a.m.33 views

CVE-2014-9757: Deserialisation Through Smack Resulting in Remote Code Execution Vulnerability

Bamboo used an old version of the Smack XMPP library that deserialises messages received from XMPP. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo if a XMPP connection has been configured. To exploit this issue, Bamboo...

9.8CVSS9.2AI score0.02338EPSS
Exploits0
Atlassian
Atlassian
added 2015/10/02 9:6 a.m.33 views

Active Directory/LDAP credentials stored in database in cleartext

We use an Active Directory server for authenticating our JIRA users, and a MySQL server for storing our JIRA data. We were extremely alarmed to discover that the username and password used for accessing the AD server are stored in cleartext in the MySQL database. Anyone who is able to compromise...

0.8AI score
Exploits0
Atlassian
Atlassian
added 2015/09/01 2:42 p.m.33 views

change fontset 'icons' to html entities to improve security compliance

It seems that the icons in Confluence are currently rendered using fontset. This can be an issue for organization especially banks that have strict security constraint fontset cannot be downloaded as a result this will not render on customer instance. I would recommend that we change the current...

6.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/08/04 1:6 p.m.33 views

Workbox Plugin loads full HTML of JIRA comment, leads to GC loop of death on large comment

To reproduce: start Confluence with GC logging enabled optional, but helps Link Confluence and JIRA create an issue in JIRA watch it add a large comment to the JIRA issue, e.g. paste a 7.7MB log file between \code\ tags open the workbox in Confluence optional: in network tab of web developer tool...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/06/01 6:42 p.m.33 views

Advanced JQL Search does not Respect User email visibility Hidden

h4. Problem The advanced JQL autocomplete functionality is still showing email addresses, ignoring the User email visibility option. Basic mode does not show emails See screenshots h4. Steps to Reproduce Set User email visibility to Hidden JIRA Administration System General Configuration Edit Use...

Exploits0Affected Software1
Atlassian
Atlassian
added 2015/05/28 8:4 p.m.33 views

Project's permission bypass JIRA global permissions

h3. Summary Users are able to create/comment issues via email without group membership if they are added directly to the project's permission. User shouldn't be able to do that since he can't access the application itself. Same applies to JIRA's notifications. h3. Steps to Reproduce Remove user...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2015/03/15 10:56 p.m.33 views

Restricted blog post visible in the month summary page

Steps to reproduce: 1. create a new blog post, and restrict it to yourself 2. log in as another user and go to Blogs in sidebar 3. blog is not visible in the blogs summary page 4. click a visible blog in the same month 5. click the month link in the breadcrumb 5. restricted blog title and excerpt...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/01/28 10:18 a.m.33 views

Disabling user in delegated Active Directory doesn't disable them in Confluence until they log in

h3.Steps to Reproduce Create a delegated directory, hooked to Active Directory Login with an AD user, with the "Remember Me" option checked Close the browser completely Disable the user in AD by checking the "Account is disabled" option in User Properties Account Account Options Launch the browse...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/06/27 1:2 a.m.33 views

Remote DoS Exploit on Confluence

Nir Goldshlager have discovered a vulnerability on atlassian-gadgets when parsing XMLs. Basically anyone can craft a URL containing a parameter with some XML that will make the instance run out of memory when trying to parse it. Details on the attack can be found on...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/06/09 12:56 p.m.33 views

statTypes REST API exposes all statistics field names anonymously

On an instance with no anonymous access enabled, /rest/gadget/1.0/statTypes returns a list of all stattable custom fields names and IDs in the instance in response to anonymous requests. This is a nasty exposure of data - admins have no way of knowing that private data shouldn't be put into custo...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/08/30 6:26 p.m.33 views

/rest/menu/1.0/appswitcher displays data unauthenticated

"Calling" this function returns data without any authentication required: noformat curl https://support.atlassian.com/rest/menu/latest/appswitcher | python -mjson.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 787 0 787 0 0 531 0...

7.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/07/01 4:52 a.m.33 views

Force change of password when enabling the default applications in crowd

Currently it is too easy for an administrator to click through the crowd setup wizard and enable the openid & demo application and not set passwords for either of the applications. It should not be possible to enable a default application without first changing the default password...

3.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/04/04 10:48 a.m.33 views

Editing "Global Templates" possible without admin login

If you are logged in to the admin panel you get the following line: quoteYou have temporary access to administrative functions. Drop access if you no longer require it. For more information, refer to the documentation.quote Pressing "Drop access" redirects you to the normal Wiki page, away from t...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/10/15 12:39 a.m.33 views

Arbitrary resource file download in urlrewrite.xml

There is an arbitrary resource file download vulnerability triggered by a third party library org.tuckey.web.filters.urlrewrite.UrlRewriteFilter. The urlrewrite.xml rules file shows the pattern that will trigger a forward rule, which is the equivelant of performing dp =...

1.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/07/31 9:7 a.m.33 views

ldap injection in the custom atlassian authentication code

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-47275. panel The custom atlassian ldap authentication code is vulnerable to ldap injection. The method which is vulnerable to...

8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/08/18 1:40 a.m.33 views

JIRA FishEye plugin not working - Error handling trusted applications authentication attempt: BAD_SIGNATURE

This bug effects you if: you are running JIRA 4.4+ and FishEye 2.6.0-2.6.3 you have Trusted Applications authenticating the link between your JIRA and FishEye servers If you attempt to configure or use the JIRA FishEye plugin, you may see errors in the UI and log messages like this in JIRA:...

Exploits0Affected Software1
Atlassian
Atlassian
added 2011/05/03 10:17 a.m.33 views

websudo does not work with Confluence when it's integrated with Crowd SSO

h5. Steps to reproduce Integrate with Crowd with SSO|http://confluence.atlassian.com/display/DOC/Connecting+to+Crowd+or+JIRA+for+User+Management Go to Confluence Admin, it does not prompt to enter password websudo Go to Security Configuration. Note that it will look something like this:...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2011/02/22 9:55 p.m.33 views

Remember Me filter not working for FishEye/Crucible

The current implementation of the FishEye filter still require that the Remember Me cookie have the encrypted credentials for the user, what is no longer true as that pose a major security vulnerability. The filter should rely on the JIRA Remember Me funcionality. If the user logged in using the...

1.6AI score
Exploits0
Atlassian
Atlassian
added 2010/08/06 1:53 a.m.33 views

Replace unsafe text gadget and add to JIRA Cloud

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-21965. panel panel:title=Atlassian Update - 23 April 2015|borderStyle=solid|borderColor=ebf2f9|titleBGColor=ebf2f9|bgColor=ffffff Hi everyone...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/06/25 3:40 p.m.33 views

Malicious File Upload

The application server accepted a vbscript file, an HTML file containing JavaScript, and the EICAR test virus as allowed attachments. This means that an attacker could submit a malicious file to the backend, where the file might be launched by another internal RIM employee if they click and open...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/11/28 5:50 a.m.33 views

Confluence displays ALL attachments when the following URL is viewed

i removed the space key from the URL for the normal space attachment viewing, and it displays all the attachments for all spaces in the install of Confluence, Irrispecitve of space and page level permission restrictions. For Example:...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/10/20 8:13 a.m.33 views

XSS bug in wiki markup link rendering

The following wikimarkup creates links with an onclick event. noformat test link|mailto:[email protected]" onclick="alert'hi. I am a fun onclick event' test link|mailto:[email protected]" onclick="alert'hi. I am a fun onclick event' noformat This is due to the following code in...

1AI score
Exploits0
Atlassian
Atlassian
added 2007/10/09 3:24 p.m.33 views

user value of JiraAuthenticationContext not set is SOAP service getIssue()

Call to JiraAuthenticationContext.setUser missing during getIssue SOAP service call. Service call will fail silently if there are custom fields with explicit secutity checking for attributes derived from current user. In my case I try to verify existance of an issue using getIssue SOAP service...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/30 6:32 p.m.33 views

"Current Assignee" on Browse Permission problem

I have created a permission scheme in Jira but I am experiencing an odd behaviour. I have 5 users in Jira and in the permission scheme, the Browse Projects is assigned to: - Project Lead - Project Role Administrators - Project Role Clients Among the 5 users, 3 fit these categories. One is a proje...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/01/10 3:32 a.m.33 views

XSS bug: usernames not HTML-encoded in all places

When signing up for an account, it is possible to enter a username like "fred". Confluence will accept this, and on certain pages, render it as raw HTML to the user, opening the possibility of cross-site scripting XSS attacks. Two places I've spotted the raw HTML so far: - Most prominently, when ...

5.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/12/01 11:15 p.m.33 views

Manage authentication for NTLM proxies

We want to access RRS content internally, but we are using a secured proxy requiring authentication via NTLM or user/password. We setted up the standard Java proxies properties: http.proxyHost, http.proxyPort and http.auth.ntlm.domain. But it seams that the http.auth.ntlm.domain properties does n...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2002/04/09 2:39 p.m.33 views

Asked to re-authenticate to delete issue

/jira/secure/DeleteIssue!default.jspa?id=10012 everything seems to work ok, but I try to delete previously existing issue and I get redirected to the URL above. instead of a delete issue page, I get a login page, only it looks messed up - it's the login form table miniwindow except spread 100%...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/05/12 12:31 a.m.32 views

RCE (Remote Code Execution) at mchange-commons-java dependency in Bamboo Data Center

This High severity RCE Remote Code Execution vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.9 and a CVSS Vector of...

9.8CVSS6.3AI score0.00812EPSS
Exploits1
Atlassian
Atlassian
added 2025/05/07 5:9 a.m.32 views

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency in Confluence Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 7.13 of Confluence Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to...

7.5CVSS6.9AI score0.66933EPSS
Exploits5
Atlassian
Atlassian
added 2025/03/12 3:10 a.m.32 views

Path Traversal (Arbitrary Read/Write) org.springframework:spring-webmvc Dependency in Jira Service Management Data Center and Server

This High severity org.springframework:spring-webmvc Dependency vulnerability was introduced in versions 5.12.0 Jira Service Management Data Center and Server. This org.springframework:spring-webmvc Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.5AI score0.54862EPSS
Exploits6
Atlassian
Atlassian
added 2025/02/14 8:12 a.m.32 views

RCE (Remote Code Execution) org.apache.tomcat:tomcat-catalina Dependency in Confluence Data Center and Server

This Critical severity org.apache.tomcat:tomcat-catalina Dependency vulnerability was introduced in version 6.10 of Confluence Data Center and Server. This org.apache.tomcat:tomcat-catalina Dependency vulnerability, with a CVSS Score of 9.8 and a CVSS Vector of...

9.8CVSS7.4AI score0.43663EPSS
Exploits13
Atlassian
Atlassian
added 2024/11/04 11:11 p.m.32 views

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency in Confluence Data Center and Server

This High severity org.apache.tomcat:tomcat-coyote Dependency vulnerability was introduced in versions 6.5 of Confluence Data Center and Server. This org.apache.tomcat:tomcat-coyote Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:...

7.5CVSS7.3AI score0.23072EPSS
Exploits1
Atlassian
Atlassian
added 2024/10/25 4:20 p.m.32 views

DoS (Denial of Service) tomcat Dependency in Crowd Data Center

This High severity Third-Party Dependency vulnerability was introduced in versions 5.1.11, 5.2.6, 5.3.2, and 6.0.0 of Crowd Data Center. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to expose assets in your environment susceptible to...

7.5CVSS7.1AI score0.04602EPSS
Exploits0
Atlassian
Atlassian
added 2024/08/28 4:11 p.m.32 views

DoS (Denial of Service) org.apache.commons:commons-configuration2 Dependency in Confluence Data Center and Server

This High severity org.apache.commons:commons-configuration2 Dependency vulnerability was introduced in versions 6.0 of Confluence Data Center and Server. This org.apache.commons:commons-configuration2 Dependency vulnerability, with a CVSS Score of 7.3 and a CVSS Vector of...

7.3CVSS7.7AI score0.02054EPSS
Exploits0
Atlassian
Atlassian
added 2021/08/25 1:6 a.m.32 views

Denial of Service when reading particularly-crafted GIF files - CVE-2021-39116

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the GIF Image Reader component. The affected versions are before version 8.13.14, and from version 8.14.0 before 8.19.0. Affected...

5.5CVSS5.4AI score0.01066EPSS
Exploits0
Atlassian
Atlassian
added 2021/05/07 12:16 a.m.32 views

XSS in fieldID - CVE 2021-26079

The CardLayoutConfigTable component in Jira Server and Jira Data Center before version 8.5.15, and from version 8.6.0 before version 8.13.7, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability. Affected...

6.1CVSS5.7AI score0.01237EPSS
Exploits0
Atlassian
Atlassian
added 2021/01/06 11:46 p.m.32 views

DoS by uploading a lot of data for avatars in Confluence - CVE-2020-29450

Affected versions of Atlassian Confluence Server allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the avatar upload feature in Confluence. The affected versions are before version 7.2.0. Affected versions: version 7.2.0 Fixed versions:...

6.5CVSS6.3AI score0.02214EPSS
Exploits0
Atlassian
Atlassian
added 2020/11/19 12:10 a.m.32 views

A user-supplied regex in EyeQL causes ReDoS - CVE-2020-14190

Affected version of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL. The affected versions are before version 4.8.4. Affected versions: version 4.8.4 Fixed versions: 4.8.4 4.9.0...

7.5CVSS7.3AI score0.01212EPSS
Exploits0
Atlassian
Atlassian
added 2020/10/06 10:57 p.m.32 views

XSS in Jira issue filter export file via malicious full name - CVE-2020-14184

Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in Jira issue filter export files. The affected versions are before version 8.5.9, from version 8.6.0 before 8.12.3, and from version 8.13.0 before...

5.4CVSS3.7AI score0.00944EPSS
Exploits0
Atlassian
Atlassian
added 2020/06/16 2:46 a.m.32 views

XSS in WYSIWYG editor via pasted code - CVE-2020-14164

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the WYSIWYG editor. The affected versions are before 8.5.9, and from version 8.6.0 before 8.8.2. Affected versions: version...

6.1CVSS4.8AI score0.00732EPSS
Exploits0
Atlassian
Atlassian
added 2020/06/02 6:19 a.m.32 views

The bundled version of Atlassian Navigator Links contained an incorrect authorization check - CVE-2020-4026

The bundled version of Atlassian Navigator Links plugin in Atlassian Fisheye before version 4.8.2 allows remote attackers to enumerate all linked applications, including those that are restricted or otherwise hidden, through an incorrect authorization check. Additional details about the issue in...

4.3CVSS5.1AI score0.0075EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/16 7:46 p.m.32 views

Information disclosure in the /rest/jira-ril/1.0/jira-rest/applinks resource in the crucible-jira-ril plugin - CVE-2020-4017

The /rest/jira-ril/1.0/jira-rest/applinks resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to get information about any configured Jira application links via an information disclosure vulnerability...

5.3CVSS5.2AI score0.01245EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/16 6:55 p.m.32 views

Improper authorization vulnerablity in the /profile/deleteWatch.do resource- CVE-2020-4014

The /profile/deleteWatch.do resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to remove another user's watching settings for a repository via an improper authorization vulnerability...

4.3CVSS5.1AI score0.00765EPSS
Exploits0
Total number of security vulnerabilities4295