Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2011/06/27 11:56 p.m.31 views

logout.action is not protected against XSRF - CVE-2012-6342

Cross-site request forgery CSRF vulnerability in logout.action in Atlassian Confluence 3.4.6 allows remote attackers to hijack the authentication of administrators, for requests that logout the user via a comment...

6.8CVSS6.3AI score0.01665EPSS
Exploits2
Atlassian
Atlassian
added 2010/12/03 3:25 a.m.31 views

XSS vulnerability in Pagetree macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence pagetree macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...

Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/22 12:58 a.m.31 views

JIRA is vulnerable to clickjacking attacks

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-21101. panel A clickjacking attack on JIRA would most likely take the form of a third-party site, containing an invisible iframe on top of a...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/07/28 5:51 a.m.31 views

Allow issue security level to use any custom field that implements UserCFNotificationTypeAware

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-18099. panel It would be useful to be able to set the security level on an issue to include everyone who participated on an issue so if you h...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/06/18 7:0 a.m.31 views

XSS vulnerability can be exploited on the WebDAV Configuration page

Steps: Go to WebDAV Configuration Enter 'alert"XSS"' Click on 'Add new regex' button The script will be executed. It will continue to be executed whenever a user clicks on the 'Save' button. This can be done by users in the confluence-admin group, so it could be used by them to gain access to...

1.6AI score
Exploits0
Atlassian
Atlassian
added 2008/04/22 5:36 p.m.31 views

Remember my password with LDAP

At the login screen, when we click on 'Remember my login on this computer' and login, everything works well. When we close the browser without logout, the login should be remember on this computer. When we try to get back into Jira, here's the bug that we have into our log file. 2008-04-22...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/02/01 12:29 p.m.31 views

Project name that contains double-quote is not properly escaped on Issue Navigator page

If a project has a double-quote in its name, it's not xml-escaped when used in "title" attribute. For example, if we have a project named 14" monitors, the html will look like: 14" monitors This causes JIRA Client to hiccup on this page and lose a lot of functionality. On web browser, the title i...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/03/15 10:8 p.m.31 views

Implement user lockout mechanism to stop bruteforce login attacks

Hacker can try as many time he wants to login JIRA. You can build client, which sends username+password combinations as many time as you like. .. and if you have username, it is much easier to get in. ---- Implementation ideas: 1 Lock user after sequential X incorrect logins - X can be set by...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/01/10 3:32 a.m.31 views

XSS bug: usernames not HTML-encoded in all places

When signing up for an account, it is possible to enter a username like "fred". Confluence will accept this, and on certain pages, render it as raw HTML to the user, opening the possibility of cross-site scripting XSS attacks. Two places I've spotted the raw HTML so far: - Most prominently, when ...

5.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/02/20 2:47 a.m.31 views

When deleting an Issue Security Level issues need to be re-indexed

Create 1 security levels Put some issues into it Delete the level hence removing any security level from the issues You will not be able to find the issues any more - need to re-index...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2003/09/18 8:16 p.m.31 views

should be able to login only via https

you should be able to configure JIRA to login via HTTPS. this is almost possible in 2.4.1. You can specify an https URL in security-config.xml as the login.url parameter. this makes loing links from e.g. the issue view page work correctly. a slight problem here is that the session remiains in the...

Exploits0Affected Software1
Atlassian
Atlassian
added 2025/04/10 1:12 a.m.30 views

XXE (XML External Entity Injection) in Jira Service Management Data Center and Server

This High severity XXE XML External Entity Injection vulnerability was introduced in version 5.12.0 of Jira Service Management Data Center and Server. This XXE XML External Entity Injection vulnerability, with a CVSS Score of 7.7, allows an attacker to access local and remote content. Atlassian...

6.5AI score
Exploits0
Atlassian
Atlassian
added 2025/02/13 4:13 p.m.30 views

RCE (Remote Code Execution) org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server

This Critical severity org.apache.tomcat:tomcat-catalina Dependency vulnerability was introduced in versions 5.2.0, 5.3.0, 6.0.0, 6.1.0 and 6.2.0 of Crowd Data Center and Server. This org.apache.tomcat:tomcat-catalina Dependency vulnerability, with a CVSS Score of 9.8 and a CVSS Vector of...

9.8CVSS9.3AI score0.43663EPSS
Exploits13
Atlassian
Atlassian
added 2024/12/19 7:14 p.m.30 views

IDOR (Insecure Direct Object Reference) org.springframework:spring-webmvc Dependency in Confluence Data Center and Server

This High severity org.springframework:spring-webmvc Dependency vulnerability was introduced in version 3.0 of Confluence Data Center and Server. This org.springframework:spring-webmvc Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.6AI score0.54862EPSS
Exploits6
Atlassian
Atlassian
added 2024/11/27 1:49 a.m.30 views

DoS (Denial of Service) in Bitbucket Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 8.9.0, 8.19.0, and 9.3.0 of Bitbucket Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to cause a resource to be unavailable for its intended users ...

5.3CVSS6.3AI score0.01429EPSS
Exploits1
Atlassian
Atlassian
added 2024/11/21 10:54 p.m.30 views

org.apache.commons:commons-compress Dependency in Confluence Data Center and Server

This High severity org.apache.commons:commons-compress Dependency vulnerability was introduced in versions 7.14 of Confluence Data Center and Server. This org.apache.commons:commons-compress Dependency vulnerability, with a CVSS Score of 8.1 and a CVSS Vector of...

8.1CVSS6.7AI score0.00441EPSS
Exploits0
Atlassian
Atlassian
added 2024/10/16 8:12 p.m.30 views

DoS (Denial of Service) com.nimbusds:nimbus-jose-jwt Dependency in Bamboo Data Center and Server

This High severity com.nimbusds:nimbus-jose-jwt Dependency vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server. This com.nimbusds:nimbus-jose-jwt Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.6AI score0.00814EPSS
Exploits0
Atlassian
Atlassian
added 2023/11/14 9:45 a.m.30 views

DoS (Denial of Service) apache-struts in Bamboo Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.1, and 9.3.0 of Bamboo Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H...

7.5CVSS7.1AI score0.05467EPSS
Exploits0
Atlassian
Atlassian
added 2023/09/28 7:24 p.m.30 views

RCE (Remote Code Execution) in Sourcetree for Mac and Sourcetree for Windows

This High severity RCE Remote Code Execution vulnerability was introduced in version 3.4.14 of Sourcetree for Mac and Sourcetree for Windows. This RCE Remote Code Execution vulnerability, with a CVSS Score of 7.8, and a CVSS Vector of: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H which allows an...

8AI score
Exploits0
Atlassian
Atlassian
added 2023/02/23 6:33 a.m.30 views

Information disclosure via Synchrony service

Affected versions of Atlassian Confluence Server allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the Synchrony service. This vulnerability was discovered by Rojan Rijal of Tinder Security Engineering. The affected versions are before version...

4.2AI score
Exploits0
Atlassian
Atlassian
added 2022/08/18 1:53 p.m.30 views

"Fatal: unsafe repository" error when using Git 2.35.2 or newer

h3. Issue Summary When Fisheye is installed on Windows with Git 2.35.2 or newer versions, new commits and branches in Git are not visible in Fisheye. This issue occurs due to a security update in Git|https://github.blog/2022-04-12-git-security-vulnerability-announced/, as detailed in Error "fatal...

0.1AI score
Exploits0
Atlassian
Atlassian
added 2022/06/24 9:55 a.m.30 views

REST API falsely updates Project Category without necessary permissions

panel:bgColor=e7f4fa NOTE: This is for JIRA Server and JIRA Data Center . panel h3. Issue Summary A User with Project Administrator permissions is able to update the Project Category via REST API. But in the Jira UI only a Jira Administrator is allowed to update the Project Category. h3. Steps to...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/03/29 8:51 a.m.30 views

Bitbucket displays sensitive DB details in error message in browser

h3. Issue Summary On application startup, if the database is down the Bitbucket application displays the sensitive database hostname & port details in the error message in browser. Error Message: noformat The database, as currently configured, is not accessible. Connection to : refused. Check tha...

1AI score
Exploits0
Atlassian
Atlassian
added 2022/02/08 11:13 a.m.30 views

Tomcat should not disclose its own version to unauthenticated users

h3. Problem Definition When accessing URLs that aren't under the application context and are not defined in Tomcat, Tomcat returns a 404 along with its own version. h4. +Steps to reproduce problem+ In a Jira instance with a context called jira for instance, browse http:///nonexistenturi. Make sur...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/08/25 1:6 a.m.30 views

User Enumeration via /rest/api/1.0/render endpoint - CVE-2021-39118

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. The affected versions are before version 8.19.0. Affected versions: version 8.19.0 Fixed...

5.3CVSS5.4AI score0.01376EPSS
Exploits0
Atlassian
Atlassian
added 2021/05/20 4:26 a.m.30 views

7.13: Upgrade Confluence to latest Adopt OpenJDK versions 11.0.12

This issue includes running tests against JDK 11 latest11.0.127 and also bundling this JDK in installer...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/01/27 4:1 a.m.30 views

Gadget resource makeRequest defeats behind-the-firewall protection of app-linked resources - CVE-2021-26070

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the makeRequest gadget resource. The affected versions are before version 8.13.3, and from version 8.14.0...

7.2CVSS6.6AI score0.01955EPSS
Exploits0
Atlassian
Atlassian
added 2021/01/25 7:2 a.m.30 views

Jira bundles a vulnerable version of atlassian-gadgets - CVE-2020-36232

The atlassian-gadgets plugin used in affected versions of Atlassian Jira Server and Data Center allows unexpected DNS lookups and requests to malicious servers via server side request forgery vulnerability. The affected versions are before version 8.5.10, from version 8.6.0 before version 8.13.2,...

5CVSS5.4AI score0.00975EPSS
Exploits0
Atlassian
Atlassian
added 2020/08/31 9:25 p.m.30 views

Project enumeration through /browse.PROJECTKEY - CVE-2020-14178

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. Affected versions: version 7.13.17 7.14.0 ≤ version 8.5.8 8.6.0 ≤ version 8.12.0 Fixed versions: 7.13.17 8.5....

7.5CVSS6.3AI score0.03051EPSS
Exploits0
Atlassian
Atlassian
added 2020/06/23 4:39 p.m.30 views

MITM in Repository Import - CVE-2020-14171

Affected versions of Atlassian Bitbucket Server allow remote attackers to intercept unencrypted repository import requests via Man-in-the-Middle MITM attack. Affected versions: 4.9.0 = version 7.2.4 Fixed versions: 7.2.4 7.3.0...

6.5CVSS6.8AI score0.00558EPSS
Exploits0
Atlassian
Atlassian
added 2020/06/18 2:44 a.m.30 views

Man-in-the-middle in Jira email client - CVE-2020-14168

The email client in Jira Server and Data Center allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle MITM vulnerability Affected versions: version 7.13.14 8.5.0 ≤ version 8.5.5 8.8.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9.1 Fixed version...

5.9CVSS6.6AI score0.0168EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/22 1:47 a.m.30 views

Information disclosure in System Administration - Global Permissions - CVE-2019-20898

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. Affected versions: version = 8.5.12: Enable feature...

7.5CVSS4.8AI score0.01304EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/19 11:32 p.m.30 views

XSS in XML export view - CVE-2020-4021

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the XML export view. Affected versions: version 7.13.16 8.0.0 ≤ version 8.5.5 8.6.0 ≤ version 8.8.1 Fixed versions: 7.13.16 8.5....

5.4CVSS5.6AI score0.01003EPSS
Exploits0
Atlassian
Atlassian
added 2019/12/11 4:1 a.m.30 views

Confluence Server and Data Center - Atlassian Companion Man-in-the-Middle - CVE-2019-15006

h3. Issue Summary There was a man-in-the-middle MITM vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence Previews plugin in Confluence...

6.5CVSS2AI score0.01905EPSS
Exploits0
Atlassian
Atlassian
added 2019/12/10 2:35 a.m.30 views

Improper authorization vulnerability in the /json/profile/removeStarAjax.do resource - CVE-2019-15009

The /json/profile/removeStarAjax.do resource in Atlassian Crucible before version 4.8.0 allows remote attackers to remove another user's favourite setting for a project via an improper authorization vulnerability...

4.3CVSS6.3AI score0.00732EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/09 3:45 a.m.30 views

The ViewSystemInfo class doGarbageCollection method was vulnerable to CSRF - CVE-2019-11588

The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery CSRF vulnerability...

4.3CVSS6.3AI score0.00793EPSS
Exploits0
Atlassian
Atlassian
added 2019/08/09 3:42 a.m.30 views

Open redirect in the ChangeSharedFilterOwner resource - CVE-2019-11589

The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery CSRF token, via a open redirect...

6.1CVSS5.4AI score0.01119EPSS
Exploits0
Atlassian
Atlassian
added 2019/03/29 2:29 p.m.30 views

Copying and pasting Status Macro (or TOC Macro) over https triggers mixed content and breaks certificate trust

h3. Issue Summary Copying and pasting a status macro or TOC over https in the browser will trigger mix content action, it will break the certificate trust on request of: Status macro plugins/servlet/status-macro/placeholder?title=titlehere&colour=Yellow TOC macro...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/02/14 8:50 p.m.30 views

XSS in edit upload for a review through the wbuser parameter - CVE-2018-20241

The Edit upload resource for a review in Atlassian Fisheye before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the wbuser parameter...

5.4CVSS4AI score0.00904EPSS
Exploits0
Atlassian
Atlassian
added 2019/02/14 2:51 a.m.30 views

XSS in the listApplicationLinks resource of the Application links plugin - CVE-2018-20239

The version of the Application Links plugin used in Jira before version 7.13.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the applinkStartingUrl parameter. See https://ecosystem.atlassian.net/browse/APL-1373 for more details...

5.4CVSS3.7AI score0.03401EPSS
Exploits0
Atlassian
Atlassian
added 2018/12/21 6:6 a.m.30 views

XSS in the labels widget gadget - CVE-2018-20232

The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the rendering of retrieved content from a url location that could be...

5.4CVSS3.3AI score0.00911EPSS
Exploits0
Atlassian
Atlassian
added 2018/09/17 12:47 p.m.30 views

The administrative smart-commits resource was vulnerable to Cross-site request forgery (CSRF) - CVE-2018-13398

The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery CSRF vulnerability...

6.5CVSS6AI score0.00534EPSS
Exploits0
Atlassian
Atlassian
added 2018/04/09 4:7 a.m.30 views

The bundled atlassian-http library had a content spoofing issue - CVE-2017-18103

The version of the bundled atlassian-http library was vulnerable to content-spoofing. See https://jira.atlassian.com/browse/HTTP-3 for more details...

4.7CVSS1.6AI score0.00826EPSS
Exploits0
Atlassian
Atlassian
added 2018/04/05 4:8 a.m.30 views

XSS in the Trello board importer resource - CVE-2017-18097

The Trello board importer resource in Atlassian Jira before version 7.6.1 and before version 7.7.0 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the title of a Trell...

5.4CVSS5.2AI score0.00678EPSS
Exploits0
Atlassian
Atlassian
added 2018/03/13 8:23 a.m.30 views

Remote Code Execution via in Browser Editing - CVE-2018-5225

An authenticated user of Bitbucket Server could gain remote code execution using the in browser editing feature via editing a symbolic link within a repository. Affected versions: All versions of Bitbucket Server before 5.4.8 the fixed version for 4.13.0 through to 5.4.7, 5.5.0 before 5.5.8 the...

9.9CVSS2.5AI score0.0362EPSS
Exploits0
Atlassian
Atlassian
added 2018/02/02 12:10 a.m.30 views

XSS in the editinword resource through the contents of an uploaded file - CVE-2017-18083

The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the contents of an uploaded file...

5.4CVSS4.1AI score0.00591EPSS
Exploits0
Atlassian
Atlassian
added 2018/01/17 2:15 a.m.30 views

Various Cross-site request forgery(CSRF) vulnerabilities in the Jira-importers-plugin - CVE-2017-18033

The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery CSRF vulnerabilities...

6.5CVSS6.4AI score0.00545EPSS
Exploits0
Atlassian
Atlassian
added 2018/01/12 2:26 a.m.30 views

Cross-site request forgery(CSRF) in the IncomingMailServers resource - CVE-2017-16862

The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery CSRF vulnerability...

4.3CVSS5.1AI score0.00644EPSS
Exploits0
Atlassian
Atlassian
added 2017/06/14 2:49 p.m.30 views

Request Participants beside Reporter can remove other participants.

h3. Summary: Apparently, participants of a request have a control to whom the request is "Shared" with even though it is not the Reporter. Hence, they can actually remove themselves from the Request and unable to view it after that. Also, they can remove other parties from the request as well. h3...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/15 2:23 a.m.30 views

XSS in /includes/decorators/global-translations.jsp

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-61888. panel Somewhat hard to exploit but still doable when it comes to cache poisoning. Steps to reproduce: Tamper with a GET request to...

6.1CVSS5.9AI score0.02111EPSS
Exploits3
Total number of security vulnerabilities4295