4295 matches found
Improper Authorization in Bitbucket Server through ATST Plugin - CVE-2019-15005
The Atlassian Troubleshooting and Support Tools ATST plugin prior to version 1.17.2 which was used in Bitbucket Server & Bitbucket Data Center before version 6.6.0, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing...
XSS in various types of nested wiki markup - CVE-2017-18102
The bundled version of atlassian-renderer in Crucible before version 4.7.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in nested wiki markup. For more information see https://jira.atlassian.com/browse/RNDR-153 currently restricted to...
When the 'Any logged in user' permission is added to 'Browse Project' permission in a Service Desk project, customer will automatically receive notifications when mentioned in an internal comment.
h3. Issue Summary When the 'Any logged in user' permission is added to 'Browse Project' permission in a Service Desk project, customer will automatically receive notifications when mentioned in an internal comment. h3. Steps to Reproduce Test Case1: Create a Service Desk project. Head to project...
XSS in the activity stream gadget via the country parameter - CVE-2018-20827
The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the country parameter...
Stored XSS in administrative linker functionality through the href parameter - CVE-2018-20240
The administrative linker functionality in Atlassian Fisheye before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the href parameter...
On error at /rest/ stack-trace is publicly visible
h3. Summary On Confluence server 6.12.2 requesting wrong REST URL /rest/cql/contenttypes?category=test we will see full stack-trace. The same we can see at https://confluence.atlassian.com/rest/cql/contenttypes?category=test On production, a regular user should not see the stack-trace when an err...
Several administrative resources missing WebSudo (improper access control vulnerability) - CVE-2018-13400
Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version...
XSS in IncomingMailServer resource - CVE-2018-13387
The IncomingMailServers resource in Atlassian JIRA Server before version 7.6.7, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3 and from version 7.10.0 before version 7.10.2 allows remote attackers to inject arbitrary HTML ...
XSS through header injection in the /browse/~raw resource - CVE-2018-5228
The /browse/raw resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the handling of response headers...
XSS in the searchrequest-xml resource through various fields - CVE-2017-18098
The searchrequest-xml resource in Atlassian Jira before version 7.6.1 and before version 7.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through various fields...
The bundled Atlassian Universal Plugin Manager plugin had a XSS issue - CVE-2018-5229
The version of the bundled Atlassian Universal Plugin Manager plugin had a cross site scripting vulnerability XSS. See https://ecosystem.atlassian.net/browse/UPM-5871 for more details...
XSS in the usermacros resource through the description of a macro - CVE-2017-18084
The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the description of a macro. Acknowledgements Atlassian would like to credit Veit Hailperin @fenceposterro...
XSS in the IncomingMailServers resource through the messagesThreshold parameter - CVE-2017-18039
The IncomingMailServers resource in Atlassian JIRA from version 6.2.1 before version 7.4.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the messagesThreshold parameter...
Argument injection in Mercurial repository handling - CVE-2017-14590
Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to do one or more of the following: create a repository in Bamboo edit an existing plan in Bamboo that has a non-linked Mercurial repository create or edit a plan...
CVE-2015-8361: Services exposed without authentication Vulnerability
Bamboo exposed services without first performing authentication checks. Attackers can use this vulnerability to extract confidential information from Bamboo, modify certain settings and manage build agents. To exploit this issue, attackers need to be able to access the Bamboo JMS port. Affected...
xss by swf file
In confluence comment module user can embed swf file in their comment, confluence are using a atltoken parameter on GET HTTP request, if the attacker send the link of .swf file the value of src on embed tag to his victim the malicious .SWF won't execute on the victim's browser . We can bypass thi...
Update Tomcat Native DLL in JIRA Installer
quote 7 new vulnerabilities were announced for OpenSSL on 5 June 2014. These vulnerabilities affect Tomcat Native, which ships with the Windows Installer versions of JIRA. So please update your JIRA Windows Installers to include a patched version of Tomcat Native DLL's, once these become availabl...
Restrictions do not apply in calendar macro
Team Calendar restrictions do not apply if the calendar is in a Calendar Macro withing a Confluence page. +Repro steps:+ Create a calendar. Restrict it to one group. Create a Confluence page with a calendar macro containing the restricted Calendar. View the page with a user with no permissions to...
Automatic access added to newly added bitbucket account without notificiation
Steps to replicate: Add a new bitbucket account to your JIRA OnDemand instance via the DVCS connector. Click on the cog to the right of your new account and view 'configure automatic access' Result: Automatic access will be set up and membership to the 'developers' group will be granted Expected...
JIRA sends in-app notifications to Confluence for restricted comments
If you have a primary application link between JIRA in Confluence, users get a notification in their Confluence workbox everytime someone comments in a ticket the user is watching. Users receive the notification with the text of the comment even when the comment is restricted to other groups,...
OAuth Administration screen is visible to anonymous users
If anonymous user access is enabled under "Global Permission", user can access to "OAuth Administration" page without the need to log-in. Here is the URL to the page: /plugins/servlet/oauth/view-consumer-info This page display Confluence administrators menu on the sidebar and other information su...
execution of javascript from filename
Steps to replicate: Add an attachment Rename the file to ".txt" Copy its remove link and open the link in a new browser window Result: The JavaScript code is executed, rather than showing the "proceed w/ deletion" screen. Everything works normally if you just click the delete button rather than...
Custom Seraph Authenticators broken in Confluence 5.0
The constructor signature of com.atlassian.confluence.event.events.security.LoginEvent changed between Confluence 4.3.x and 5.0 - an additional String parameter was added to the constructor. From this: code public LoginEventObject src, String username, String sessionId, String remoteHost, String...
Security enhancement: do not allow POST parameters to be used in GETs
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-32076. panel My company's security team ran a vulnerability scan against our JIRA and found this issue. They advised me to bring it to your...
UploadAttachmentsAction XSRF
The UploadAttachmentsAction action is declared to use a validatingStack interceptor chain, but does not use the RequiresSecurityToken element, leaving it open to an XSRF attack. If this were exploited, an attacker could force a user’s browser to upload files into a space they have write permissio...
Webwork direct method invocation can bypass validatingStack through Action aliases
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-27294. panel WebWork supports the concept of action aliases, which allow a single action class to serve requests mapping to...
Arbitrary resource file download in urlrewrite.xml
There is an arbitrary resource file download vulnerability triggered by a third party library org.tuckey.web.filters.urlrewrite.UrlRewriteFilter. The urlrewrite.xml rules file shows the pattern that will trigger a forward rule, which is the equivelant of performing dp =...
XSS vulnerability in the "import word document" page action through the page name
On the "import word document" page action the name of the confluence page is a persistent xss vector as it is not encoded. How to Reproduce: 1. Create a confluence page with the following title noformat XSS"/alert'XSS' noformat 2. Navigate to the created page 3. Under the tools menu select "Impor...
The vulnerability exists in the standalone and also in the online demonstration enviroment.
It is possible to anonymously enumerate all usernames via the script at /rest/prototype/1/search/user.json?max-results=10&query=XX. The 'query' GET parameter should contain at least two charakters. It is possible to enumerate all usernames by performing a search from 'query' value 'aa' to 'zz'...
Confluence does not respect HTTPS in Server Base URL when 301 redirecting
We have Confluence setup behind an Apache reverse proxy and our Server Base URL is set to "https://confluence...". However, when Confluence sends out a 301, it always sends the Location: http://confluence..., which then gets redirected by Apache to https://confluence... Confluence should respect...
Cross Site Request Forgery - Deleting User's Dashboards
Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to Cross-Site Request Forgery attacks within this URL:...
Visual clues to native vs. ldap users and groups
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-23355. panel In a mixed environment with Confluence and LDAP users and groups, it would be helpful when administering users and...
logout.action is not protected against XSRF - CVE-2012-6342
Cross-site request forgery CSRF vulnerability in logout.action in Atlassian Confluence 3.4.6 allows remote attackers to hijack the authentication of administrators, for requests that logout the user via a comment...
XSS vulnerability in login.action
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence login action. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...
Lock account after multiple login failure
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-23412. panel For security purposes, it is desirable to have a mechanism to lock an account if the user attempted multiple login unsuccessfull...
XSS vulnerability in Pagetree macro
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence pagetree macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...
Non-secure content warning in IE8 on the Dashboards screen caused by the wiki renderer
Wiki renderer-generated contents e.g. in the activity stream include references to icons with http prefix that cause IE8 to generate security warnings for JIRA instances accessible via HTTPS. To reproduce it, have contents in the activity stream gadget contain icons included by the wiki renderer,...
NullPointerException when Switching between Projects or Boards
In my case, the WEB-INF/classes/log4j.properties included has these loggers turned off, but they still seem to run. I am including a patch that ignores the NullPointerException following the pattern of ignoring the ClassNotFoundException. Details below taken from:...
Allow issue security level to use any custom field that implements UserCFNotificationTypeAware
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-18099. panel It would be useful to be able to set the security level on an issue to include everyone who participated on an issue so if you h...
XSS vulnerability can be exploited on the WebDAV Configuration page
Steps: Go to WebDAV Configuration Enter 'alert"XSS"' Click on 'Add new regex' button The script will be executed. It will continue to be executed whenever a user clicks on the 'Save' button. This can be done by users in the confluence-admin group, so it could be used by them to gain access to...
XSS using onerror
We had a user enter a viagra ad that actual redirected to their site. I think the offending code was here: although obviously they didn't use example.com I've attached the whole page for examination...
Remember my password with LDAP
At the login screen, when we click on 'Remember my login on this computer' and login, everything works well. When we close the browser without logout, the login should be remember on this computer. When we try to get back into Jira, here's the bug that we have into our log file. 2008-04-22...
Implement user lockout mechanism to stop bruteforce login attacks
Hacker can try as many time he wants to login JIRA. You can build client, which sends username+password combinations as many time as you like. .. and if you have username, it is much easier to get in. ---- Implementation ideas: 1 Lock user after sequential X incorrect logins - X can be set by...
XSS bug: usernames not HTML-encoded in all places
When signing up for an account, it is possible to enter a username like "fred". Confluence will accept this, and on certain pages, render it as raw HTML to the user, opening the possibility of cross-site scripting XSS attacks. Two places I've spotted the raw HTML so far: - Most prominently, when ...
When deleting an Issue Security Level issues need to be re-indexed
Create 1 security levels Put some issues into it Delete the level hence removing any security level from the issues You will not be able to find the issues any more - need to re-index...
should be able to login only via https
you should be able to configure JIRA to login via HTTPS. this is almost possible in 2.4.1. You can specify an https URL in security-config.xml as the login.url parameter. this makes loing links from e.g. the issue view page work correctly. a slight problem here is that the session remiains in the...
RCE (Remote Code Execution) org.apache.tomcat:tomcat-catalina Dependency in Confluence Data Center and Server
This Critical severity org.apache.tomcat:tomcat-catalina Dependency vulnerability was introduced in version 6.10 of Confluence Data Center and Server. This org.apache.tomcat:tomcat-catalina Dependency vulnerability, with a CVSS Score of 9.8 and a CVSS Vector of...
Path Traversal org.springframework:spring-webmvc Dependency in Bitbucket Data Center and Server
This High severity org.springframework:spring-webmvc vulnerability exists in 8.9.0 - 8.9.23 and 8.19.0 to 8.19.12 of Bitbucket Data Center and Server. This org.springframework:spring-webmvc Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...
Users who don't have Jira administrators global permission can create issue collectors
h3. Issue Summary The following description exists in our document "Using the issue collector|https://confluence.atlassian.com/adminjiraserver0912/using-the-issue-collector-1346047512.html" code For all of the following procedures, you must be logged in as a user with the Jira administrators glob...
DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Crowd Data Center and Server
This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 5.1.0, 5.2.0, and 5.3.0 of Crowd Data Center and Server. This org.bouncycastle:bcprov-jdk18on Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...