Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2011/08/25 3:13 p.m.29 views

Better error message when viewing an embedded calendar as an unprivileged user

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-51101. panel On our site's dashboard I have a calendar macro defined as:...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/07/09 1:35 a.m.29 views

Support web sudo and other password confirmation features with custom authenticators

By default, web sudo and other password confirmation features in Confluence 3.5 and later are disabled if a custom authenticator is detected. However, there is an override flag that was added as part of CONF-20958 that allows administrators to turn it on again. If it is turned on manually, in mos...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/05/03 10:17 a.m.29 views

websudo does not work with Confluence when it's integrated with Crowd SSO

h5. Steps to reproduce Integrate with Crowd with SSO|http://confluence.atlassian.com/display/DOC/Connecting+to+Crowd+or+JIRA+for+User+Management Go to Confluence Admin, it does not prompt to enter password websudo Go to Security Configuration. Note that it will look something like this:...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/01/18 10:47 p.m.29 views

Deleting a user does not remove the user from its LDAP group

Jira team: I believe this to be a JIRA bug because this scenario does not reproduce in Confluence when it is linked to Crowd. - Add an LDAP directory to Crowd. Make sure to have the "jira-users", "jira-administrators" and "jira-developers" groups exist in LDAP. - Add Crowd Server as a directory t...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/01/10 2:0 a.m.29 views

Lock account after multiple login failure

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-23412. panel For security purposes, it is desirable to have a mechanism to lock an account if the user attempted multiple login...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/12/05 10:25 p.m.29 views

Basic auth authentication does not allow files to be attached in 4.2

From the customer support case quote When using osauthType=basic to login to JIRA 4.2 a user is able to upload an attachment as a temporary file, but is unable to attach the temporary file to the issue. We noticed the exact same behavior ... had worked with JIRA 4.1.2. quote The Atlassian support...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/10/12 1:7 a.m.29 views

Patches for XSS / XSRF vulnerabilities

We have identified and fixed vulnerabilities in JIRA 4.2 which will allow an attacker to invoke XSS Cross Site Scripting attacks and/or Cross Site Request Forgery XSRF attacks. Full details of the severity, risks and vulnerabilities can be found in the JIRA Security Advisory...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/09/27 5:20 p.m.29 views

Non-secure content warning in IE8 on the Dashboards screen caused by the wiki renderer

Wiki renderer-generated contents e.g. in the activity stream include references to icons with http prefix that cause IE8 to generate security warnings for JIRA instances accessible via HTTPS. To reproduce it, have contents in the activity stream gadget contain icons included by the wiki renderer,...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/08/04 10:49 a.m.29 views

Display Last-Login-Date for the User

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-21933. panel Dear Atlassian! I don't know whether a ticket like this already exits or was solved, but I couln't find any. We would like to...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/07/28 4:34 p.m.29 views

NullPointerException when Switching between Projects or Boards

In my case, the WEB-INF/classes/log4j.properties included has these loggers turned off, but they still seem to run. I am including a patch that ignores the NullPointerException following the pattern of ignoring the ClassNotFoundException. Details below taken from:...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/05/20 3:13 a.m.29 views

Pluggable CAPTCHA

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-21359. panel CAPTCHA should be pluggable in JIRA CAPTCHA|http://en.wikipedia.org/wiki/CAPTCHA is supposed to stop spam and other automated...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/22 1:24 a.m.29 views

Remove the download link for XML site backups

Currently Confluence allows easy download of XML site backups. This could be considered a security risk. This issue introduces a flag in the Confluencecfg.xml that allows system administrators to turn this feature on or off. By default it is off meaning that the link will not be displayed. The fl...

6.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/19 2:59 a.m.29 views

Group picker popup JSP has XSS hole if group names are XSS shaped

If a group name has a XSS shaped name, then the group picker will allow scripts to be executed...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/18 1:44 a.m.29 views

The current CAPTCHA implementation may not be secure

The current CAPTCHA implementation displays a different message if the CAPTCHA is being displayed and the captcha is entered correctly but the password for the user is not, than if the CAPTCHA is entered incorrectly. This is giving away more information than a login screen should. The error messa...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/13 3:26 p.m.29 views

Allow user accounts to require two-factor authentication using RFC 4226

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-20999. panel New feature request. In light of the recent security hack at Apache, it might be prudent for JIRA to provide some more secure...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/12/24 10:24 a.m.29 views

SSL for login page only does not work in Confluence 3.1

URL rewrite does not work for Confluence 3.1. We follow the documentation: http://confluence.atlassian.com/pages/viewpage.action?pageId=158106208 This works only in Confluence 2.10 but not 3.1...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/12/24 12:36 a.m.29 views

Unable to use HTTPS for login only

If you setup the urlrewrite.xml like so: noformat ^/s/.//download/images/^?. /images/$2 ^/s/.//^?. /$2 ^/login.action https https://localhost:8443/login.action ^/dologin.action https https://localhost:8443/dologin.action ^/. https /login.action. /dologin.action. /s/. http://localhost:8080/$...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/01/15 11:31 p.m.29 views

Forgot Password/Crowd Integration exception handling and regex improvements

If JIRA is integrated with Crowd, and Crowd has password restrictions e.g. regex, a user will receive a stack trace in JIRA if the new password does not meet Crowd's password requirements e.g. through the Forgot Password link in JIRA. noformat java.lang.IllegalArgumentException: Could not change...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/09/15 4:14 p.m.29 views

XSS in bookmarks plugin

The bookmarking code under the url http://localhost:8080/plugins/socialbookmarking/updatebookmark.action is vulnerable to XSS attacks using the spaceKey parameter: submitting the following code will execute javascript: spaceKey=%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3E%22%3E IMPORTANT:...

Exploits0Affected Software1
Atlassian
Atlassian
added 2007/11/22 6:20 a.m.29 views

Authenticating security providers fails due to ClassLoader bugs

If the Trusted Application feature is not working and the following is seen noformat WARN atlassian.seraph.filter.TrustedApplicationsFilter Failed to login trusted application: confluence1234567 due to: com.atlassian.security.auth.trustedapps.InvalidCertificateException:...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/17 5:54 p.m.29 views

Permissions at field level

I would like to be able to limit what users roles are able to modify individual fields. For example, I only want to allow particular people project managers to be able to select a fix version in an issue. However, it seems that any user who can edit an issue, including the reporter, can set the...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/06/14 8:55 a.m.29 views

CommentService validation methods do not check user's security level

The validateCommentUpdate, hasPermissionToUpdate and hasPermissionToDelete methods on DefaultCommentService check the user's comment-related permissions but neglect to check whether they have a role/group security level viewable by the user attempting to delete a comment...

2.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/12/14 1:22 a.m.29 views

Confluence is not using the seraph logout url to define how to log out.

We need to update our use of seraph to delegate the definition of the logout url to seraph-config.xml h2. Workaround for Confluence 5.7.2 and older Find and copy /confluence/WEB-INF/lib/confluence-x.x.x.jar to a temp location with "x.x.x" representing your Confluence version number Extract the...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/10/01 5:56 p.m.29 views

NPE in SpaceHelper borks page....

If you have a url for Space admin : http://server.name.com/spaces/listdecorators.action?key=BP2I And you get the space key wrong, then rather than failing gracefully, you end up with an sitemesh decoration of an empty page.... Looking at the code, you can see why: public String getSpaceName retur...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/06/24 6:21 a.m.29 views

"Change password" facility modify only a password in a local database, not in LDAP.

If jira is configured to use Ldap authentification and user change its password, Jira checks current password in ldap, but modify password in local database only. I think, the correct behaviour is to change both passwords -- in ldap, because this is the one which is realy used, and in local...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/11/14 11:3 p.m.29 views

Encrypt all passwords stored on the file system

Passwords are not encrypted in confluence-mail.cfg.xml nor in confluence.cfg.xml; they should be. Resolve an encryption scheme for anything requiring security stored on the file system...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/05/11 11:31 p.m.28 views

DoS (Denial of Service) at jackson-core dependency in Bamboo Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 12.0.0 and 12.1.0 of Bamboo Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N allows an...

8.7CVSS5.7AI score0.00552EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/11 11:30 p.m.28 views

DoS (Denial of Service) at org.apache.activemq dependency in Bamboo Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H...

7.5CVSS5.8AI score0.00896EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/05 10:29 a.m.28 views

BASM (Broken Authentication & Session Management) in Confluence Data Center

This is a vulnerability in a non-Atlassian Confluence dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity BASM Broken Authentication & Session Management vulnerability was introduced in versions 9.1.0, 9.2.0, 9.3.1, 9.4.0,...

9.1CVSS5.8AI score0.00715EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/14 12:17 p.m.28 views

OS Command Injection in Bamboo Data Center - CVE-2026-21571

This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This RCE Remote Code Execution vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of...

9.4CVSS6AI score0.0127EPSS
Exploits0
Atlassian
Atlassian
added 2025/04/18 1:12 a.m.28 views

DoS (Denial of Service) net.minidev:json-smart Dependency in Crucible Data Center and Server

This High severity net.minidev:json-smart Dependency vulnerability was introduced in version 4.9.0 of Crucible Data Center and Server. This net.minidev:json-smart Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS7AI score0.01119EPSS
Exploits1
Atlassian
Atlassian
added 2025/04/04 7:11 a.m.28 views

DoS (Denial of Service) net.minidev:json-smart Dependency in Jira Software Data Center and Server

This High severity net.minidev:json-smart Dependency vulnerability was introduced in versions 9.12.4, 9.13.0, 9.14.0, 9.15.2, 9.16.0, 9.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Software Data Center and Server. This net.minidev:json-smart Dependency vulnerability, with a CV...

7.5CVSS7AI score0.01119EPSS
Exploits1
Atlassian
Atlassian
added 2025/02/13 4:13 p.m.28 views

RCE (Remote Code Execution) org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server

This Critical severity org.apache.tomcat:tomcat-catalina Dependency vulnerability was introduced in versions 5.2.0, 5.3.0, 6.0.0, 6.1.0 and 6.2.0 of Crowd Data Center and Server. This org.apache.tomcat:tomcat-catalina Dependency vulnerability, with a CVSS Score of 9.8 and a CVSS Vector of...

9.8CVSS9.3AI score0.43663EPSS
Exploits13
Atlassian
Atlassian
added 2025/02/13 1:13 a.m.28 views

RCE (Remote Code Execution) org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server

This Critical severity org.apache.tomcat:tomcat-catalina Dependency vulnerability was introduced in version 6.2.0 of Crowd Data Center and Server. This org.apache.tomcat:tomcat-catalina Dependency vulnerability, with a CVSS Score of 9.8 and a CVSS Vector of...

9.8CVSS7.4AI score0.43663EPSS
Exploits13
Atlassian
Atlassian
added 2025/02/13 1:13 a.m.28 views

SQLi (SQL Injection) org.postgresql:postgresql Dependency in Bitbucket Data Center and Server

This High severity org.postgresql:postgresql Dependency vulnerability was introduced in version 8.0 of Bitbucket Data Center. A version of the PostgreSQL JDBC driver is bundled in the Mesh Application /app/WEB-INF/mesh/mesh-app.jar however Mesh does not use the PostgreSQL driver, rather it uses a...

8CVSS7.8AI score0.01662EPSS
Exploits1
Atlassian
Atlassian
added 2023/10/30 1:26 p.m.28 views

Feedback button iframe should be sandboxed

h3. Issue Summary When feedback button is clicked in Jira top navigation bar, it loads an iframe with content from jira.atlassian.com. Iframe doesn't have sandbox attribute which may be seen as a potential vulnerability. IFrame sandboxing enables a set of additional restrictions for the content...

7.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/08/17 9:33 a.m.28 views

Users with no "Browse Users permissions" are able to fetch issues which are assigned to another user or reported by other user using advanced search filter

h3. Issue Summary Users with no "Browse Users permissions" are able to fetch issues which are assigned to another user or reported by other user using advanced search filter. This is reproducible on Data Center: yes h3. Steps to Reproduce Log into JIRA with a user which does not have Browse Users...

7.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/06/02 10:22 a.m.28 views

Granting the 'Administer Projects' permission to a 'Custom Field' within a permission scheme allows all users to see the Project Settings

h3. Issue Summary This is reproducible on Data Center: yes Granting the Administer Projects permission to a User custom field value results in users having access to the Project Settings area even when the field is not populated. h3. Steps to Reproduce Create a new project with sample data Create...

6.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/11/30 7:39 p.m.28 views

Insight JAMF integration - Error when Importing

h3. Issue Summary The Assets - Jamf Integration|https://marketplace.atlassian.com/apps/1219908/assets-jamf-integration?tab=overview&hosting=datacenter plugin supported by Atlassian seems to retrieve an error on the importing process "could not connect to service". h3. Steps to Reproduce The...

6.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/03/24 4:23 a.m.28 views

Vulnerability in LESS Transformer Plugin used by Bitbucket

h3. Issue Summary As of Bitbucket 7.21 the LESS Transformer Plugin shipped is version 4.0.0. Unfortunately it has a dependency on commons-codec version 1.4 which has a number of security vulnerabilities. eg.commons-codec:commons-codec / 1.4 Apache Commons Codec...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2021/10/07 12:6 p.m.28 views

Local File Dislocusure to Browse All Files in /atlassian-bamboo

This vulnerability affects certain versions of Atlassian Bamboo. Attacker can craft URL to browse all files inside /atlassian-bamboo at Bamboo installation folder, which includes files at WEB-INF folder...

6.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/09/07 7:58 a.m.28 views

Sending an unauthenticated request to the Synchrony allows writing to the logs

h3. Issue Summary It is possible to write log entries via Synchrony API without authentication. h3. Steps to Reproduce To do this, you have to enter the target URL in Postman:, copy the GET or POST request and send the http request. For all POST requests, you must ensure that the content length...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/05/20 10:43 p.m.28 views

Bitbucket XSS, privilege escalation from "Project Creator" to "System admin" on project deletion

This vulnerability affects certain versions of Atlassian Dev Tools. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent...

5.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/03/24 1:37 p.m.28 views

Cross Site Scripting vulnerability allows injecting HTML code into table edits

h3. Issue Summary Cross Site Scripting vulnerability allows injecting HTML code into table edits h3. Steps to Reproduce Edit a page Then access the Insert macro 'Info' option. A new window will open, in which the Preview option must be selected. With the help of an intermediate proxy such as burp...

0.1AI score
Exploits0
Atlassian
Atlassian
added 2021/03/03 10:39 p.m.28 views

Blind SSRF in Team Calendars REST API using location parameter - CVE-2020-29445

Affected versions of Confluence Server allow attackers to identify internal hosts and ports via a blind server-side request forgery vulnerability in Team Calendars parameters. Affected versions: 7.11.0 Fixed versions: 7.11.0 7.4.8 LTS This vulnerability is attributed to Stefano Castilletti, a...

4.3CVSS5AI score0.01201EPSS
Exploits0
Atlassian
Atlassian
added 2021/02/22 4:54 a.m.28 views

Persistent XSS through Team Calendar in Confluence Server - CVE-2020-29444

Affected versions of Team Calendar in Confluence Server allow attackers to inject arbitrary HTML or Javascript via a Cross Site Scripting vulnerability in admin global setting parameters. h3. Affected versions: 7.11.0 h3. Fixed version: 7.11.0 This vulnerability is attributed to Stefano...

5.4CVSS5.3AI score0.00928EPSS
Exploits0
Atlassian
Atlassian
added 2021/02/16 11:35 p.m.28 views

DOM XSS in the issue navigation & search view via parameter pollution - CVE-2020-36288

The issue navigation & search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting XSS vulnerability caused b...

6.1CVSS5.6AI score0.01519EPSS
Exploits0
Atlassian
Atlassian
added 2020/12/10 2:10 a.m.28 views

Sending multiple concurrent file upload requests will permanently break a review - CVE-2020-29447

Affected versions of Atlassian Crucible allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the file upload request feature of code reviews. The affected versions are before version 4.7.4, and from version 4.8.0 before 4.8.5. Affected...

4.3CVSS5.3AI score0.00991EPSS
Exploits0
Atlassian
Atlassian
added 2020/11/16 12:12 a.m.28 views

CSRF token theft through referrer headers - CVE-2021-39126

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify various resources via a Cross-Site Request Forgery CSRF vulnerability, following an Information Disclosure vulnerability in the referrer headers which discloses a user's CSRF token. The affected versions a...

6.5CVSS6.4AI score0.00703EPSS
Exploits0
Atlassian
Atlassian
added 2020/05/28 5:17 a.m.28 views

XSS in the review coverage resource through the committerFilter parameter- CVE-2020-4023

The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting XSS vulnerability through the committerFilter parameter. Affected versions: version 4.8.2 Fixed versions: 4.8.2 4.9.0...

5.4CVSS5.1AI score0.00772EPSS
Exploits0
Total number of security vulnerabilities4295