Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2020/02/05 5:5 p.m.29 views

CSRF in Application Links plugin allows network enumeration - CVE-2019-20100

Atlassian Jira Server and Data Center before version 8.7.0 use a version of the Atlassian Application Links plugin that is vulnerable to cross-site request forgery CSRF. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to...

4.7CVSS5.1AI score0.01021EPSS
Exploits1
Atlassian
Atlassian
added 2019/12/10 2:16 a.m.29 views

XSS in the /plugins/servlet/branchreview resource through the reviewedBranch parameter - CVE-2019-15008

The /plugins/servlet/branchreview resource in Atlassian Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the reviewedBranch parameter...

6.1CVSS4.3AI score0.00739EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/09 3:20 a.m.29 views

CSRF in the ServiceExecutor resource - CVE-2019-8447

The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery CSRF vulnerability...

4.3CVSS5.2AI score0.00679EPSS
Exploits0
Atlassian
Atlassian
added 2019/06/18 12:30 p.m.29 views

Upgrading Crowd via XML Data Transfer reactivate disabled user from OpenLDAP - CVE-2019-20902

h3. Issue Summary Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. h3. Environment Crowd 3.x.x OpenLDAP h3. Steps to Reproduce Install Crowd 3.1.1 and connect with OpenLDAP directory. Synchronise the OpenLDAP directory. Disable one of the user from OpenLDAP...

7.5CVSS2.4AI score0.00872EPSS
Exploits0
Atlassian
Atlassian
added 2019/04/29 4:9 a.m.29 views

XSS in the labels gadget - CVE-2019-3400

The labels gadget in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the jql parameter...

6.1CVSS5.7AI score0.01084EPSS
Exploits0
Atlassian
Atlassian
added 2019/04/29 4:2 a.m.29 views

Information disclosure in the ManageFilters.jspa resource - CVE-2019-3401

The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check...

5.3CVSS5.5AI score0.12719EPSS
Exploits0
Atlassian
Atlassian
added 2019/04/29 3:59 a.m.29 views

XSS in the ConfigurePortalPages.jspa resource - CVE-2019-3402

The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the searchOwnerUserName parameter...

6.1CVSS5.7AI score0.08947EPSS
Exploits0
Atlassian
Atlassian
added 2018/08/07 4:20 a.m.29 views

The bundled Atlassian Universal Plugin Manager plugin had a XXE issue - CVE-2018-20233

The version of the bundled Atlassian Universal Plugin Manager plugin had a XML External Entity vulnerability that allowed remote attackers with system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in t...

6.5CVSS3.7AI score0.01818EPSS
Exploits0
Atlassian
Atlassian
added 2018/04/04 9:7 p.m.29 views

Confluence error pages should remove stack trace from being output to the UI

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. panel h3. Problem Definition The Confluence error page typically displays "Oops - an error has occurred", it displays System error, the cause, then the stack trace that deals with that error. This is not desirable for all...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/03/14 1:19 p.m.29 views

Vulnerable javascript library: jQuery

Good morning. It has been brought to my attention that jQuery library has a vulnerability. In jQuery version before 1.9.0b1 selector interpreted as HTML. This could lead to potential vulnerabilities https://bugs.jquery.com/ticket/11290. Solution: jQuery version 1.9.0b1 has been released to addres...

0.8AI score
Exploits0
Atlassian
Atlassian
added 2018/02/07 10:17 p.m.29 views

The bundled Atlassian Universal Plugin Manager plugin had a XSS issue - CVE-2018-5229

The version of the bundled Atlassian Universal Plugin Manager plugin had a cross site scripting vulnerability XSS. See https://ecosystem.atlassian.net/browse/UPM-5871 for more details...

5.4CVSS1.5AI score0.00591EPSS
Exploits0
Atlassian
Atlassian
added 2018/01/12 4:17 a.m.29 views

XSS through a project or filter name in the PieChart gadget - CVE-2017-16863

The PieChart gadget in Atlassian Jira before version 7.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability through the name of a project or filter...

6.1CVSS5.7AI score0.00809EPSS
Exploits0
Atlassian
Atlassian
added 2017/03/14 4:40 a.m.29 views

XSS Vulnerability in wiki markup

Luke Jahnke of the Australia Post Digital Mailbox Security Team reported to Atlassian an XSS in nesting various markup...

2.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/10/25 7:44 a.m.29 views

XSRF Security Token Missing when clicking on Contact an administrator

h3. Summary Clicking on the "Contact an administrator to perform this action." results in XSRF Security Token Missing. Tested with : Chrome Version 54.0.2840.59 64-bit Firefox 49.0 h3. Steps to Reproduce Configure Outgoing Mail Enable Contact Administrators Form from General Configurations Create...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/06/24 12:11 p.m.29 views

bitbucket attempted security breach

Bitbucket https://bitbucket.org/socialauth/migrate/?next=/ is asking for my atlassian password. Asking for a password for another website is at best bad practice...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/06/04 10:6 p.m.29 views

Remove old plugin manager

The old plugin manager is still available in confluence if you know the URL ../admin/viewplugins.action it looks quite terrible and given it is almost an unknown feature most of the current Confluence Team would not know to fix it if there are security problems with it. It was kept when we put UP...

0.5AI score
Exploits0
Atlassian
Atlassian
added 2015/03/30 7:14 a.m.29 views

Bundled Java Version Security Patches

At the moment, the bundled JAVA is version 1.7.015. The recent JAVA version is 1.7.72, which has many security patches http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html. Does the security vulnerabilities on bundled JAVA JRE something that we should be concerned about?...

1AI score
Exploits0
Atlassian
Atlassian
added 2015/01/09 12:12 a.m.29 views

OGNL Double Evaluation Vulnerability

We have discovered and fixed a vulnerability in our fork of WebWork. Attackers can use this vulnerability to execute Java code of their choice on systems that use this framework. The attacker needs to have an account and be able to access the Confluence web interface. All versions of Confluence u...

2.8AI score
Exploits0
Atlassian
Atlassian
added 2014/07/29 4:12 a.m.29 views

Escape or filter script tags in "all activity" panel

We've got an external report about a third party plugin: quote From: Vincent Ollivier Date: 29 July 2014 13:12 Subject: JIRA 6.2.5 / JEditor XSS Vulnerability To: [email protected] Hi, Sorry for the email, I couldn't find the correct project to report this security issue. There's an XSS in...

6.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/07/14 3:28 a.m.29 views

Reflected XSS affecting Confluence via Gadgets

Steps to recreate: 1. To view the reflected XSS affecting JIRA, present on the current JIRA installation jira.atlassian.com visit the following link: noformat...

0.3AI score
Exploits0
Atlassian
Atlassian
added 2014/06/23 3:45 a.m.29 views

Lack of CSRF protection on Voting

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47905. panel On Confluence Questions, answers and questions can be upvoted by the victim automatically on a question page visit,...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/06/19 7:51 a.m.29 views

Flash content-type sniffing allows Cross Site Data Hijacking

As documented at http://blog.detectify.com/post/86298380233/the-pitfalls-of-allowing-file-uploads-on-your-website it is possible to upload a flash file to confluence with a different content-type than for flash and when embedded on an attacker's domain will be able to make requests to the...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/06/18 2:46 p.m.29 views

Removing user from LDAP doesn't clear LDAP group membership

Reproduction steps: 1. Setup generic LDAP user repository RW, with jira-users, jira-developers, jira-administrators groups. 2. Create user for John Smith as [email protected]. 3. Add him to jira-administrators group. 4. Remove user [email protected] John changed the company. 5. Create user for Jake Sunny as...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/05/12 5:43 a.m.29 views

ClassLoader manipulation vulnerability

We have fixed a vulnerability in our fork of Apache Struts. Attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Crowd web interface. In cases when anonymous access is enabled, a valid user...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/04/08 3:24 p.m.29 views

Confluence OnDemand dashboard - popular tab - user is shown links to pages they are restricted from viewing

Children of restricted pages do not get hidden from users who do not have permission to see the parent. Steps to reproduce: Create an unrestricted page. Create a child page, also unrestricted. Create a second user. Confirm the user can see the two new pages in their dashboard. Restrict viewing of...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/10/08 5:0 a.m.29 views

XSS in reorder panel

To reproduce: 1. Open a confluence instance in Firefox. 2. Create a space with key "TEST". 3. Create a page in that space called "alert0". 4. Create two pages with the page from step 3 as their parent. 5. Go to: code:none base...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/09/18 11:49 p.m.29 views

Can force a Java heap space OOME when passing a high startIndex value in the URL

h4. Steps to reproduce Start Confluence 5.2.3 Navigating to the following URL: http:///dosearchsite.action?queryString=1&startIndex=268435455 or some other high startIndex value The browser will spin, and logs will eventually display an out-of-memory error code 2013-09-18 17:13:19,808 ERROR...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/09/04 12:24 a.m.29 views

XSS vulnerability in the Office Powerpoint macro (Office Connector)

To reproduce: 1. Attach a ".ppt" file to the page. any file with that extension - doesn't need to be a powerpoint file 2. Add "Office Powerpoint" macro with Slide Number as: code "alertdocument.domain code 3. View page. See officeconnector, PptConverter.java, line...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/07/10 7:18 a.m.29 views

Webwork 2 code injection vulnerability

We have discovered a vulnerability in WebWork 2, which is a part of the Struts web framework. In specific circumstances, attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. In case of Fisheye, the attacker needs to be able to access...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/03/21 12:48 a.m.29 views

Restrict access to personal pages and directory

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-28592. panel We need to restrict access to personal pages and the directory. At present, there doesn't seem to be any way to do...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/03/06 1:6 a.m.29 views

XSS vulnerability in invite-users-panel.vm [$i18n.getText('easyuser.send.invitations.email.placeholder', [$siteTitle]), line 37]

Panopticon http://panopticon.dyn.syd.atlassian.com/ has detected that the following file contains a XSS vulnerability. This vulnerability has been manually confirmed. File: confluence-plugins/confluence-bundled-plugins/confluence-easyuser-admin/src/main/resources/templates/invite-users-panel.vm...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/11/29 1:27 p.m.29 views

CreateSupportZipAction directory traversal

There’s a directory traversal vulnerability in the CreateSupportZipAction action that allows a malicious user to include arbitrary log files into a support zip. This is because the SupportUtility object is marked as @ParameterSafe, and no validation is performed on its serverLogsDirectory path...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/08/29 11:13 a.m.29 views

Inherit Edit Restrictions for Child Pages

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-26446. panel As it said in Documentation for Page Restrictions|https://confluence.atlassian.com/display/DOC/Page+Restrictions:...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/07/27 1:56 a.m.29 views

Potential remote code execution due to embedding of old django-piston

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-46819. panel The exposed atlassian api for forummodules found under forummodules/atlassian/api uses an outdated version of...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/11/28 10:5 a.m.29 views

Do not show registered users in quick search to anonymous users

Registered users appears in quick search, even when it's a search made by anonymous...

3.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/08/25 3:13 p.m.29 views

Better error message when viewing an embedded calendar as an unprivileged user

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-51101. panel On our site's dashboard I have a calendar macro defined as:...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/07/09 1:35 a.m.29 views

Support web sudo and other password confirmation features with custom authenticators

By default, web sudo and other password confirmation features in Confluence 3.5 and later are disabled if a custom authenticator is detected. However, there is an override flag that was added as part of CONF-20958 that allows administrators to turn it on again. If it is turned on manually, in mos...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/05/03 10:17 a.m.29 views

websudo does not work with Confluence when it's integrated with Crowd SSO

h5. Steps to reproduce Integrate with Crowd with SSO|http://confluence.atlassian.com/display/DOC/Connecting+to+Crowd+or+JIRA+for+User+Management Go to Confluence Admin, it does not prompt to enter password websudo Go to Security Configuration. Note that it will look something like this:...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/01/18 10:47 p.m.29 views

Deleting a user does not remove the user from its LDAP group

Jira team: I believe this to be a JIRA bug because this scenario does not reproduce in Confluence when it is linked to Crowd. - Add an LDAP directory to Crowd. Make sure to have the "jira-users", "jira-administrators" and "jira-developers" groups exist in LDAP. - Add Crowd Server as a directory t...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/01/10 2:0 a.m.29 views

Lock account after multiple login failure

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-23412. panel For security purposes, it is desirable to have a mechanism to lock an account if the user attempted multiple login...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/12/05 10:25 p.m.29 views

Basic auth authentication does not allow files to be attached in 4.2

From the customer support case quote When using osauthType=basic to login to JIRA 4.2 a user is able to upload an attachment as a temporary file, but is unable to attach the temporary file to the issue. We noticed the exact same behavior ... had worked with JIRA 4.1.2. quote The Atlassian support...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/10/12 1:7 a.m.29 views

Patches for XSS / XSRF vulnerabilities

We have identified and fixed vulnerabilities in JIRA 4.2 which will allow an attacker to invoke XSS Cross Site Scripting attacks and/or Cross Site Request Forgery XSRF attacks. Full details of the severity, risks and vulnerabilities can be found in the JIRA Security Advisory...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/08/04 10:49 a.m.29 views

Display Last-Login-Date for the User

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-21933. panel Dear Atlassian! I don't know whether a ticket like this already exits or was solved, but I couln't find any. We would like to...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/05/20 3:13 a.m.29 views

Pluggable CAPTCHA

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-21359. panel CAPTCHA should be pluggable in JIRA CAPTCHA|http://en.wikipedia.org/wiki/CAPTCHA is supposed to stop spam and other automated...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/22 1:24 a.m.29 views

Remove the download link for XML site backups

Currently Confluence allows easy download of XML site backups. This could be considered a security risk. This issue introduces a flag in the Confluencecfg.xml that allows system administrators to turn this feature on or off. By default it is off meaning that the link will not be displayed. The fl...

6.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/19 2:59 a.m.29 views

Group picker popup JSP has XSS hole if group names are XSS shaped

If a group name has a XSS shaped name, then the group picker will allow scripts to be executed...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/13 3:26 p.m.29 views

Allow user accounts to require two-factor authentication using RFC 4226

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-20999. panel New feature request. In light of the recent security hack at Apache, it might be prudent for JIRA to provide some more secure...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/12/24 10:24 a.m.29 views

SSL for login page only does not work in Confluence 3.1

URL rewrite does not work for Confluence 3.1. We follow the documentation: http://confluence.atlassian.com/pages/viewpage.action?pageId=158106208 This works only in Confluence 2.10 but not 3.1...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/12/24 12:36 a.m.29 views

Unable to use HTTPS for login only

If you setup the urlrewrite.xml like so: noformat ^/s/.//download/images/^?. /images/$2 ^/s/.//^?. /$2 ^/login.action https https://localhost:8443/login.action ^/dologin.action https https://localhost:8443/dologin.action ^/. https /login.action. /dologin.action. /s/. http://localhost:8080/$...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/07/31 6:6 a.m.29 views

JQL not respecting Issue Security Level "Project Lead"

While writing TestIssueSecurityLevel I found the following problem: fred is not a Project Lead HSP-3 has Issue Security Level of "Project Lead" only. empty JQL to show all visible issues doesn't show HSP-3. make fred the Project Lead same query: still no HSP-3 however: fred can browse to HSP-3 an...

1.4AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295