Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2012/04/11 4:24 p.m.30 views

deletion of a comment with a security setting sends a notification to all watchers and the history tab

As a non-atlassian developer, I saw a deletion notification for a comment that I was restricted from viewing. That seems like a security leak. It would be annoying if we're trying to hide discussion from certain users for them to see that the discussion is happening at all, it would raise questio...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/22 12:58 a.m.30 views

JIRA is vulnerable to clickjacking attacks

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-21101. panel A clickjacking attack on JIRA would most likely take the form of a third-party site, containing an invisible iframe on top of an...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/18 1:44 a.m.30 views

The current CAPTCHA implementation may not be secure

The current CAPTCHA implementation displays a different message if the CAPTCHA is being displayed and the captcha is entered correctly but the password for the user is not, than if the CAPTCHA is entered incorrectly. This is giving away more information than a login screen should. The error messa...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/02/17 4:24 a.m.30 views

Changing system locale means users with non-ASCII characters in their passwords cannot authenticate

The OSUser and Atlassian-User authenticators used by Confluence convert a password into bytes before hashing it. This conversion doesn't specify which encoding should be used, so the system's default encoding is used. If the system administrator changes the locale settings on the server or change...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/12/24 10:24 a.m.30 views

SSL for login page only does not work in Confluence 3.1

URL rewrite does not work for Confluence 3.1. We follow the documentation: http://confluence.atlassian.com/pages/viewpage.action?pageId=158106208 This works only in Confluence 2.10 but not 3.1...

0.1AI score
Exploits0
Atlassian
Atlassian
added 2009/08/17 1:13 a.m.30 views

XSS vulnerability can be exploited with the Userlister macro

Use the following markup: noformatuserlister:groups=alert'Vulerable'noformat Whenever the page is viewed, the script will be executed...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/01/15 11:31 p.m.30 views

Forgot Password/Crowd Integration exception handling and regex improvements

If JIRA is integrated with Crowd, and Crowd has password restrictions e.g. regex, a user will receive a stack trace in JIRA if the new password does not meet Crowd's password requirements e.g. through the Forgot Password link in JIRA. noformat java.lang.IllegalArgumentException: Could not change...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/11/03 1:10 a.m.30 views

Logging event information is not HTML encoded in 500 error page

The Confluence 500 error page lists logging events generated during the request the produced the 500 error page. The strings rendered from this event are not HTML encoded, leaving open a chance for an attacker to exploit this via XSS. I haven't yet investigated to see whether this is actually...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/04/03 3:7 a.m.30 views

Session isn't invalidated on logout

When the user logs out the HttpSession isn't invalidated. The important details of the logged in user and other information is correctly cleared but other properties such as user preferences are not. The impact is things like the label's section and location section's openness state isn't correct...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/17 7:12 a.m.30 views

XSS vulnerabilities in insert image and link actions

In 2.7.x, the following URL's are vulnerable: - /users/insertlink.action - /users/insertlink-page-attachmentstab.action - /users/insertlink-page-uploadfile.action - /users/insertlink-draft-attachmentstab.action - /users/insertlink-draft-uploadfile.action - /users/doinsertimageinpage.action -...

4.2AI score
Exploits0
Atlassian
Atlassian
added 2008/03/10 4:58 a.m.30 views

XSS vulnerability in signup actions

Vulnerable URL's: - signup.action - dosignup.action on username, email, password, confirm, fullname...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2005/10/01 5:56 p.m.30 views

NPE in SpaceHelper borks page....

If you have a url for Space admin : http://server.name.com/spaces/listdecorators.action?key=BP2I And you get the space key wrong, then rather than failing gracefully, you end up with an sitemesh decoration of an empty page.... Looking at the code, you can see why: public String getSpaceName retur...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/05/15 7:58 a.m.29 views

Security Headers Omission in Jira Service Management Data Center

This is a vulnerability in a non-Atlassian Jira Service Management dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity Security Headers Omission vulnerability was introduced in versions 10.3.0 and 11.3.0 of Jira Service...

9.1CVSS7.2AI score0.0048EPSS
Exploits2
Atlassian
Atlassian
added 2026/05/11 11:31 p.m.29 views

DoS (Denial of Service) at jackson-core dependency in Bamboo Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 12.0.0 and 12.1.0 of Bamboo Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N allows an...

8.7CVSS5.7AI score0.00552EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/05 10:29 a.m.29 views

Improper Encoding org.apache.tomcat:tomcat-catalina Dependency in Confluence Data Center

This High severity Improper Encoding vulnerability known as CVE-2026-34483 was introduced in versions 8.9.0, 9.0.1, 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0. This Improper Encoding or Escaping of Output vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.8AI score0.00461EPSS
Exploits0
Atlassian
Atlassian
added 2025/04/10 1:12 a.m.29 views

XXE (XML External Entity Injection) in Jira Service Management Data Center and Server

This High severity XXE XML External Entity Injection vulnerability was introduced in version 5.12.0 of Jira Service Management Data Center and Server. This XXE XML External Entity Injection vulnerability, with a CVSS Score of 7.7, allows an attacker to access local and remote content. Atlassian...

6.5AI score
Exploits0
Atlassian
Atlassian
added 2024/12/19 7:14 p.m.29 views

IDOR (Insecure Direct Object Reference) org.springframework:spring-webmvc Dependency in Confluence Data Center and Server

This High severity org.springframework:spring-webmvc Dependency vulnerability was introduced in version 3.0 of Confluence Data Center and Server. This org.springframework:spring-webmvc Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.6AI score0.54862EPSS
Exploits6
Atlassian
Atlassian
added 2024/11/27 1:49 a.m.29 views

DoS (Denial of Service) in Bitbucket Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 8.9.0, 8.19.0, and 9.3.0 of Bitbucket Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to cause a resource to be unavailable for its intended users ...

5.3CVSS6.3AI score0.01429EPSS
Exploits1
Atlassian
Atlassian
added 2024/11/21 10:54 p.m.29 views

org.apache.commons:commons-compress Dependency in Confluence Data Center and Server

This High severity org.apache.commons:commons-compress Dependency vulnerability was introduced in versions 7.14 of Confluence Data Center and Server. This org.apache.commons:commons-compress Dependency vulnerability, with a CVSS Score of 8.1 and a CVSS Vector of...

8.1CVSS6.7AI score0.00441EPSS
Exploits0
Atlassian
Atlassian
added 2024/11/04 11:11 p.m.29 views

DoS (Denial of Service) org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server

This High severity org.apache.tomcat.embed:tomcat-embed-core Dependency vulnerability was introduced in versions 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0-eap01, 8.15.0, 8.16.0, 8.17.0, 8.18.0, and 8.19.0 of Bitbucket Data Center and Server. This...

7.5CVSS7.2AI score0.23072EPSS
Exploits1
Atlassian
Atlassian
added 2024/10/16 8:12 p.m.29 views

DoS (Denial of Service) com.nimbusds:nimbus-jose-jwt Dependency in Bamboo Data Center and Server

This High severity com.nimbusds:nimbus-jose-jwt Dependency vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server. This com.nimbusds:nimbus-jose-jwt Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.6AI score0.00814EPSS
Exploits0
Atlassian
Atlassian
added 2023/11/27 6:14 p.m.29 views

DOM-based XSS in comment when edit in a new tab

h3. Issue Summary DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker- controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval or innerHTML. This enables attackers to execute maliciously JavaScript, which...

6.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/08/23 6:18 a.m.29 views

Log in to Customer portal can redirect user to a completely different URL

h3. Issue Summary Able to redirect to a completely different URL after login to JSM portal This is reproducible on Data Center: yes h3. Steps to Reproduce Set up a JSM project Open an incognito window Browse the link JIRABASEURL/servicedesk/customer/user/login?absolute=true&destination=//google.c...

6.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/11/02 3:42 p.m.29 views

"Browse Project" permission set to specific values overrides the customer permission that results in the project getting exposed in the customer portal

h3. Steps to Reproduce In JSD project A, set the customer permission as "Who can access the portal and send requests to ?": "Customers my team adds to the project" Confirm that the project has no customers added Access the portal by a customer that has access to customer portal customer that is...

0.6AI score
Exploits0
Atlassian
Atlassian
added 2022/03/16 5:12 a.m.29 views

Admin user can change Portfolio Plugin hierarchy without WebSudo validation

Affected versions of Atlassian Jira Server and Data Centre allow remote attackers to modify the hierarchy structure of the Portfolio Plugin via a Broken Access Control vulnerability in the hierarchy configuration component. The affected versions are before version 8.20.4, and from version 8.21.0...

5.3AI score
Exploits0
Atlassian
Atlassian
added 2021/10/18 4:31 a.m.29 views

Anonymous users can view names of private projects and filters via Average Time in Status Gadget - CVE-2021-41306

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References IDOR vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version...

7.5CVSS5.6AI score0.0157EPSS
Exploits0
Atlassian
Atlassian
added 2021/07/29 9:23 a.m.29 views

Audit Logs Store LDAP Password in Plain Text

h3. Problem In Confluence, when an external LDAP directory is created/modified, Audit logs store the LDAP connection password as plain text. h3. Environment 7.4.x . h3. Steps to Reproduce 1. In Confluence, create or modify a directory as Microsoft Active Directory, Crowd, Jira etc 2. After...

1AI score
Exploits0
Atlassian
Atlassian
added 2021/07/02 12:53 a.m.29 views

Information disclosure issue in the comment notification feature - CVE-2021-39120

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to learn when a restricted comment is removed from an issue via an information disclosure vulnerability in the comment notification functionality. The affected versions are before version 8.18.0. Affected versions:...

5.3AI score
Exploits0
Atlassian
Atlassian
added 2021/05/20 4:26 a.m.29 views

7.13: Upgrade Confluence to latest Adopt OpenJDK versions 11.0.12

This issue includes running tests against JDK 11 latest11.0.127 and also bundling this JDK in installer...

2.6AI score
Exploits0
Atlassian
Atlassian
added 2020/12/10 2:10 a.m.29 views

Sending multiple concurrent file upload requests will permanently break a review - CVE-2020-29447

Affected versions of Atlassian Crucible allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the file upload request feature of code reviews. The affected versions are before version 4.7.4, and from version 4.8.0 before 4.8.5. Affected...

4.3CVSS5.4AI score0.00991EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/05/28 5:17 a.m.29 views

XSS in the review coverage resource through the committerFilter parameter- CVE-2020-4023

The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting XSS vulnerability through the committerFilter parameter. Affected versions: version 4.8.2 Fixed versions: 4.8.2 4.9.0...

5.4CVSS5AI score0.00772EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/22 6:33 a.m.29 views

REST API for Add user to group returns error 400 instead of 404 when the user does not exist

h3. Issue Summary REST API for Add user to group returns error 400 instead of 404 when the user does not exist. According to the documentation of JIRA 8.5.3|https://docs.atlassian.com/software/jira/docs/api/REST/8.5.3/api/2/group-addUserToGroup when the user or group does not exist, an error 404...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/16 7:38 p.m.29 views

Information disclosure in the /plugins/servlet/jira-blockers/ resource in the crucible-jira-ril plugin - CVE-2020-4016

The /plugins/servlet/jira-blockers/ resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to get the ID of configured Jira application links via an information disclosure vulnerability...

5.3CVSS5.2AI score0.01245EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/16 7:26 p.m.29 views

Security misconfiguration in the /json/fe/activeUserFinder.do resource - CVE-2020-4015

The /json/fe/activeUserFinder.do resource in Altassian Fisheye and Crucible before version 4.8.1 allows remote attackers to view user user email addresses via a security misconfiguration...

4.3CVSS5AI score0.0096EPSS
Exploits0
Atlassian
Atlassian
added 2020/03/24 1:25 a.m.29 views

Network enumeration via CSRF in Applinks endpoint

The Applinks endpoint in Atlassian Jira Server and Data Center in affected versions allows remote attackers to enumerate local network resources via a cross-site request forgery CSRF vulnerability. Affected versions: version 8.5.4 8.6.0 ≤ version 8.7.0 Fixed versions: 8.5.4 8.7.0...

4.7CVSS5AI score0.01021EPSS
Exploits1
Atlassian
Atlassian
added 2020/02/05 5:5 p.m.29 views

CSRF in Application Links plugin allows network enumeration - CVE-2019-20100

Atlassian Jira Server and Data Center before version 8.7.0 use a version of the Atlassian Application Links plugin that is vulnerable to cross-site request forgery CSRF. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to...

4.7CVSS5.1AI score0.01021EPSS
Exploits1
Atlassian
Atlassian
added 2019/12/10 2:16 a.m.29 views

XSS in the /plugins/servlet/branchreview resource through the reviewedBranch parameter - CVE-2019-15008

The /plugins/servlet/branchreview resource in Atlassian Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the reviewedBranch parameter...

6.1CVSS4.3AI score0.00739EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/09 3:20 a.m.29 views

CSRF in the ServiceExecutor resource - CVE-2019-8447

The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery CSRF vulnerability...

4.3CVSS5.2AI score0.00679EPSS
Exploits0
Atlassian
Atlassian
added 2019/06/18 12:30 p.m.29 views

Upgrading Crowd via XML Data Transfer reactivate disabled user from OpenLDAP - CVE-2019-20902

h3. Issue Summary Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. h3. Environment Crowd 3.x.x OpenLDAP h3. Steps to Reproduce Install Crowd 3.1.1 and connect with OpenLDAP directory. Synchronise the OpenLDAP directory. Disable one of the user from OpenLDAP...

7.5CVSS2.4AI score0.00872EPSS
Exploits0
Atlassian
Atlassian
added 2019/04/29 4:9 a.m.29 views

XSS in the labels gadget - CVE-2019-3400

The labels gadget in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the jql parameter...

6.1CVSS5.7AI score0.01084EPSS
Exploits0
Atlassian
Atlassian
added 2019/04/29 4:2 a.m.29 views

Information disclosure in the ManageFilters.jspa resource - CVE-2019-3401

The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check...

5.3CVSS5.5AI score0.12719EPSS
Exploits0
Atlassian
Atlassian
added 2019/04/29 3:59 a.m.29 views

XSS in the ConfigurePortalPages.jspa resource - CVE-2019-3402

The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the searchOwnerUserName parameter...

6.1CVSS5.7AI score0.08947EPSS
Exploits0
Atlassian
Atlassian
added 2018/08/07 4:20 a.m.29 views

The bundled Atlassian Universal Plugin Manager plugin had a XXE issue - CVE-2018-20233

The version of the bundled Atlassian Universal Plugin Manager plugin had a XML External Entity vulnerability that allowed remote attackers with system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in t...

6.5CVSS3.7AI score0.01818EPSS
Exploits0
Atlassian
Atlassian
added 2018/04/04 9:7 p.m.29 views

Confluence error pages should remove stack trace from being output to the UI

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. panel h3. Problem Definition The Confluence error page typically displays "Oops - an error has occurred", it displays System error, the cause, then the stack trace that deals with that error. This is not desirable for all...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/03/14 1:19 p.m.29 views

Vulnerable javascript library: jQuery

Good morning. It has been brought to my attention that jQuery library has a vulnerability. In jQuery version before 1.9.0b1 selector interpreted as HTML. This could lead to potential vulnerabilities https://bugs.jquery.com/ticket/11290. Solution: jQuery version 1.9.0b1 has been released to addres...

0.8AI score
Exploits0
Atlassian
Atlassian
added 2018/02/07 10:17 p.m.29 views

The bundled Atlassian Universal Plugin Manager plugin had a XSS issue - CVE-2018-5229

The version of the bundled Atlassian Universal Plugin Manager plugin had a cross site scripting vulnerability XSS. See https://ecosystem.atlassian.net/browse/UPM-5871 for more details...

5.4CVSS1.5AI score0.00591EPSS
Exploits0
Atlassian
Atlassian
added 2018/01/12 4:17 a.m.29 views

XSS through a project or filter name in the PieChart gadget - CVE-2017-16863

The PieChart gadget in Atlassian Jira before version 7.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the name of a project or filter...

6.1CVSS5.7AI score0.00809EPSS
Exploits0
Atlassian
Atlassian
added 2017/03/14 4:40 a.m.29 views

XSS Vulnerability in wiki markup

Luke Jahnke of the Australia Post Digital Mailbox Security Team reported to Atlassian an XSS in nesting various markup...

2.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/10/25 7:44 a.m.29 views

XSRF Security Token Missing when clicking on Contact an administrator

h3. Summary Clicking on the "Contact an administrator to perform this action." results in XSRF Security Token Missing. Tested with : Chrome Version 54.0.2840.59 64-bit Firefox 49.0 h3. Steps to Reproduce Configure Outgoing Mail Enable Contact Administrators Form from General Configurations Create...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/06/24 12:11 p.m.29 views

bitbucket attempted security breach

Bitbucket https://bitbucket.org/socialauth/migrate/?next=/ is asking for my atlassian password. Asking for a password for another website is at best bad practice...

1.3AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295