Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2013/03/06 1:6 a.m.29 views

XSS vulnerability in invite-users-panel.vm [$i18n.getText('easyuser.send.invitations.email.placeholder', [$siteTitle]), line 37]

Panopticon http://panopticon.dyn.syd.atlassian.com/ has detected that the following file contains a XSS vulnerability. This vulnerability has been manually confirmed. File: confluence-plugins/confluence-bundled-plugins/confluence-easyuser-admin/src/main/resources/templates/invite-users-panel.vm...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/11/29 1:27 p.m.29 views

CreateSupportZipAction directory traversal

There’s a directory traversal vulnerability in the CreateSupportZipAction action that allows a malicious user to include arbitrary log files into a support zip. This is because the SupportUtility object is marked as @ParameterSafe, and no validation is performed on its serverLogsDirectory path...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/08/29 11:13 a.m.29 views

Inherit Edit Restrictions for Child Pages

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-26446. panel As it said in Documentation for Page Restrictions|https://confluence.atlassian.com/display/DOC/Page+Restrictions:...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/07/27 1:56 a.m.29 views

Potential remote code execution due to embedding of old django-piston

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-46819. panel The exposed atlassian api for forummodules found under forummodules/atlassian/api uses an outdated version of...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/05/07 6:55 a.m.29 views

The "user" Dark Features page is vulnerable to XSRF/csrf

The "User Dark Features" page located at $host/secure/ViewProfile.jspa?selectedTab=jira.user.profile.panels:up-darkfeatures-panel allows users to add dark features which only affect themselves. However, it is not protected against XSRF attacks. Note: the 'value' of dark features is not properly...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/11/28 10:5 a.m.29 views

Do not show registered users in quick search to anonymous users

Registered users appears in quick search, even when it's a search made by anonymous...

3.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/08/25 3:13 p.m.29 views

Better error message when viewing an embedded calendar as an unprivileged user

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-51101. panel On our site's dashboard I have a calendar macro defined as:...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/07/09 1:35 a.m.29 views

Support web sudo and other password confirmation features with custom authenticators

By default, web sudo and other password confirmation features in Confluence 3.5 and later are disabled if a custom authenticator is detected. However, there is an override flag that was added as part of CONF-20958 that allows administrators to turn it on again. If it is turned on manually, in mos...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/05/03 10:17 a.m.29 views

websudo does not work with Confluence when it's integrated with Crowd SSO

h5. Steps to reproduce Integrate with Crowd with SSO|http://confluence.atlassian.com/display/DOC/Connecting+to+Crowd+or+JIRA+for+User+Management Go to Confluence Admin, it does not prompt to enter password websudo Go to Security Configuration. Note that it will look something like this:...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/01/10 2:0 a.m.29 views

Lock account after multiple login failure

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-23412. panel For security purposes, it is desirable to have a mechanism to lock an account if the user attempted multiple login...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/12/03 3:34 a.m.29 views

XSS vulnerability in Create Space Button macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence create-space-button macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/22 1:24 a.m.29 views

Remove the download link for XML site backups

Currently Confluence allows easy download of XML site backups. This could be considered a security risk. This issue introduces a flag in the Confluencecfg.xml that allows system administrators to turn this feature on or off. By default it is off meaning that the link will not be displayed. The fl...

6.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/13 3:26 p.m.29 views

Allow user accounts to require two-factor authentication using RFC 4226

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-20999. panel New feature request. In light of the recent security hack at Apache, it might be prudent for JIRA to provide some more secure...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/12/24 10:24 a.m.29 views

SSL for login page only does not work in Confluence 3.1

URL rewrite does not work for Confluence 3.1. We follow the documentation: http://confluence.atlassian.com/pages/viewpage.action?pageId=158106208 This works only in Confluence 2.10 but not 3.1...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/12/24 12:36 a.m.29 views

Unable to use HTTPS for login only

If you setup the urlrewrite.xml like so: noformat ^/s/.//download/images/^?. /images/$2 ^/s/.//^?. /$2 ^/login.action https https://localhost:8443/login.action ^/dologin.action https https://localhost:8443/dologin.action ^/. https /login.action. /dologin.action. /s/. http://localhost:8080/$...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/03/19 4:15 p.m.29 views

Latex Plugin-Cross-site Scripting Error

Our security group scanned the plugin below and found the following issue for the Latex Plugin: Number System/Location Defect Type Status R1 Latex Plugin Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies,...

Exploits0Affected Software1
Atlassian
Atlassian
added 2009/02/12 1:0 a.m.29 views

Password is being logged for 500 errors

The user passwords are being exposed in the log files when a 500 error happens. The following Jira solved the problem for the information displayed in the user Browser: http://jira.atlassian.com/browse/CONF-12360...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/09/15 4:14 p.m.29 views

XSS in bookmarks plugin

The bookmarking code under the url http://localhost:8080/plugins/socialbookmarking/updatebookmark.action is vulnerable to XSS attacks using the spaceKey parameter: submitting the following code will execute javascript: spaceKey=%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3E%22%3E IMPORTANT:...

Exploits0Affected Software1
Atlassian
Atlassian
added 2008/08/25 10:28 a.m.29 views

Hidden pages' content can be viewed without permission using copypage.action

If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL. EG: Two spaces A and B Page with id 1 is in Space A User cannot see Space A User can see Space B The following URL will allo...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/06/14 8:55 a.m.29 views

CommentService validation methods do not check user's security level

The validateCommentUpdate, hasPermissionToUpdate and hasPermissionToDelete methods on DefaultCommentService check the user's comment-related permissions but neglect to check whether they have a role/group security level viewable by the user attempting to delete a comment...

2.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/12/14 1:22 a.m.29 views

Confluence is not using the seraph logout url to define how to log out.

We need to update our use of seraph to delegate the definition of the logout url to seraph-config.xml h2. Workaround for Confluence 5.7.2 and older Find and copy /confluence/WEB-INF/lib/confluence-x.x.x.jar to a temp location with "x.x.x" representing your Confluence version number Extract the...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/11/14 11:3 p.m.29 views

Encrypt all passwords stored on the file system

Passwords are not encrypted in confluence-mail.cfg.xml nor in confluence.cfg.xml; they should be. Resolve an encryption scheme for anything requiring security stored on the file system...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2002/05/22 12:31 p.m.29 views

Problem when signing up for new user Account from login page

I signed up for a new user account from the login page, filled in a username, password, name and e-mail. Then I tried to login with the new username and got this exception: java.lang.NullPointerException at com.opensymphony.module.user.User.getGroupsUser.java:94 at...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/05/11 11:30 p.m.28 views

DoS (Denial of Service) at org.apache.activemq dependency in Bamboo Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H...

7.5CVSS5.8AI score0.00896EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/05 10:29 a.m.28 views

Injection in Confluence Data Center

This High severity Injection vulnerability was introduced in versions 8.9.0, 9.0.1, 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This Injection vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N...

7.5CVSS5.8AI score0.00498EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/05 10:29 a.m.28 views

BASM (Broken Authentication & Session Management) in Confluence Data Center

This is a vulnerability in a non-Atlassian Confluence dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity BASM Broken Authentication & Session Management vulnerability was introduced in versions 9.1.0, 9.2.0, 9.3.1, 9.4.0,...

9.1CVSS5.8AI score0.00715EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/14 12:17 p.m.28 views

OS Command Injection in Bamboo Data Center - CVE-2026-21571

This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This RCE Remote Code Execution vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of...

9.4CVSS6AI score0.0127EPSS
Exploits0
Atlassian
Atlassian
added 2025/06/10 3:48 a.m.28 views

DoS (Denial of Service) Third-Party Dependency in Jira Service Management Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 5.12.0, 10.2.0, 10.3.0, 10.4.0, 10.5.0, and 10.6.0 of Jira Service Management Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS8.7AI score0.66933EPSS
Exploits5
Atlassian
Atlassian
added 2025/04/18 1:12 a.m.28 views

DoS (Denial of Service) net.minidev:json-smart Dependency in Crucible Data Center and Server

This High severity net.minidev:json-smart Dependency vulnerability was introduced in version 4.9.0 of Crucible Data Center and Server. This net.minidev:json-smart Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS7AI score0.01119EPSS
Exploits1
Atlassian
Atlassian
added 2024/11/05 7:11 p.m.28 views

DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Crowd Data Center and Server

This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 5.2.4 and 5.3.0 of Crowd Data Center and Server. This org.bouncycastle:bcprov-jdk18on Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.3AI score0.00753EPSS
Exploits0
Atlassian
Atlassian
added 2024/10/23 4:58 a.m.28 views

DoS (Denial of Service) braces Dependency in Confluence Data Center

This High severity braces Dependency vulnerability was introduced in versions 7.11 of Confluence Data Center. This braces Dependency vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to...

7.5CVSS7.1AI score0.01471EPSS
Exploits1
Atlassian
Atlassian
added 2024/08/15 8:11 p.m.28 views

DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Confluence Data Center and Server

This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 3.7.0 of Confluence Data Center and Server. This org.bouncycastle:bcprov-jdk18on Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.5AI score0.011EPSS
Exploits0
Atlassian
Atlassian
added 2024/07/23 8:46 a.m.28 views

Bitbucket Datacenter REST API allows non-admin users to query all groups and members of the group

h3. Issue Summary Non-admin users any licensed user can query all the groups and members of the groups using the below API Groups API|https://developer.atlassian.com/server/bitbucket/rest/v819/api-group-permission-management/api-api-latest-admin-groups-get Group memberships...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/10/30 1:26 p.m.28 views

Feedback button iframe should be sandboxed

h3. Issue Summary When feedback button is clicked in Jira top navigation bar, it loads an iframe with content from jira.atlassian.com. Iframe doesn't have sandbox attribute which may be seen as a potential vulnerability. IFrame sandboxing enables a set of additional restrictions for the content...

7.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/08/17 9:33 a.m.28 views

Users with no "Browse Users permissions" are able to fetch issues which are assigned to another user or reported by other user using advanced search filter

h3. Issue Summary Users with no "Browse Users permissions" are able to fetch issues which are assigned to another user or reported by other user using advanced search filter. This is reproducible on Data Center: yes h3. Steps to Reproduce Log into JIRA with a user which does not have Browse Users...

7.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/06/02 10:22 a.m.28 views

Granting the 'Administer Projects' permission to a 'Custom Field' within a permission scheme allows all users to see the Project Settings

h3. Issue Summary This is reproducible on Data Center: yes Granting the Administer Projects permission to a User custom field value results in users having access to the Project Settings area even when the field is not populated. h3. Steps to Reproduce Create a new project with sample data Create...

6.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/11/30 7:39 p.m.28 views

Insight JAMF integration - Error when Importing

h3. Issue Summary The Assets - Jamf Integration|https://marketplace.atlassian.com/apps/1219908/assets-jamf-integration?tab=overview&hosting=datacenter plugin supported by Atlassian seems to retrieve an error on the importing process "could not connect to service". h3. Steps to Reproduce The...

6.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/03/24 4:23 a.m.28 views

Vulnerability in LESS Transformer Plugin used by Bitbucket

h3. Issue Summary As of Bitbucket 7.21 the LESS Transformer Plugin shipped is version 4.0.0. Unfortunately it has a dependency on commons-codec version 1.4 which has a number of security vulnerabilities. eg.commons-codec:commons-codec / 1.4 Apache Commons Codec...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2021/10/07 12:6 p.m.28 views

Local File Dislocusure to Browse All Files in /atlassian-bamboo

This vulnerability affects certain versions of Atlassian Bamboo. Attacker can craft URL to browse all files inside /atlassian-bamboo at Bamboo installation folder, which includes files at WEB-INF folder...

6.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/09/07 7:58 a.m.28 views

Sending an unauthenticated request to the Synchrony allows writing to the logs

h3. Issue Summary It is possible to write log entries via Synchrony API without authentication. h3. Steps to Reproduce To do this, you have to enter the target URL in Postman:, copy the GET or POST request and send the http request. For all POST requests, you must ensure that the content length...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/05/20 10:43 p.m.28 views

Bitbucket XSS, privilege escalation from "Project Creator" to "System admin" on project deletion

This vulnerability affects certain versions of Atlassian Dev Tools. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent...

5.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/03/24 1:37 p.m.28 views

Cross Site Scripting vulnerability allows injecting HTML code into table edits

h3. Issue Summary Cross Site Scripting vulnerability allows injecting HTML code into table edits h3. Steps to Reproduce Edit a page Then access the Insert macro 'Info' option. A new window will open, in which the Preview option must be selected. With the help of an intermediate proxy such as burp...

0.1AI score
Exploits0
Atlassian
Atlassian
added 2021/03/03 10:39 p.m.28 views

Blind SSRF in Team Calendars REST API using location parameter - CVE-2020-29445

Affected versions of Confluence Server allow attackers to identify internal hosts and ports via a blind server-side request forgery vulnerability in Team Calendars parameters. Affected versions: 7.11.0 Fixed versions: 7.11.0 7.4.8 LTS This vulnerability is attributed to Stefano Castilletti, a...

4.3CVSS5AI score0.01201EPSS
Exploits0
Atlassian
Atlassian
added 2021/02/22 4:54 a.m.28 views

Persistent XSS through Team Calendar in Confluence Server - CVE-2020-29444

Affected versions of Team Calendar in Confluence Server allow attackers to inject arbitrary HTML or Javascript via a Cross Site Scripting vulnerability in admin global setting parameters. h3. Affected versions: 7.11.0 h3. Fixed version: 7.11.0 This vulnerability is attributed to Stefano...

5.4CVSS5.3AI score0.00928EPSS
Exploits0
Atlassian
Atlassian
added 2021/02/16 11:35 p.m.28 views

DOM XSS in the issue navigation & search view via parameter pollution - CVE-2020-36288

The issue navigation & search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting XSS vulnerability caused b...

6.1CVSS5.6AI score0.01519EPSS
Exploits0
Atlassian
Atlassian
added 2020/12/10 2:10 a.m.28 views

Sending multiple concurrent file upload requests will permanently break a review - CVE-2020-29447

Affected versions of Atlassian Crucible allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the file upload request feature of code reviews. The affected versions are before version 4.7.4, and from version 4.8.0 before 4.8.5. Affected...

4.3CVSS5.3AI score0.00991EPSS
Exploits0
Atlassian
Atlassian
added 2020/05/28 5:17 a.m.28 views

XSS in the review coverage resource through the committerFilter parameter- CVE-2020-4023

The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting XSS vulnerability through the committerFilter parameter. Affected versions: version 4.8.2 Fixed versions: 4.8.2 4.9.0...

5.4CVSS5.1AI score0.00772EPSS
Exploits0
Atlassian
Atlassian
added 2020/04/22 1:56 a.m.28 views

DLL hijacking in Jira Server & JSD via Tomcat - CVE-2019-20419

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to execute arbitrary code via a DLL hijacking vulnerability in Tomcat. Affected versions: version 8.5.5 8.6.0 ≤ version 8.7.2 Fixed versions: 8.5.5 8.7.2 8.8.0...

7.8CVSS7.5AI score0.0081EPSS
Exploits0
Atlassian
Atlassian
added 2020/02/04 11:21 p.m.28 views

Information leak through broken access control in Jira Server and Data Center - CVE-2019-20407

The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check...

4.3CVSS4.9AI score0.01198EPSS
Exploits0
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.28 views

Information disclosure in the listEntityLinks servlet resource of the Application links plugin - CVE-2019-15011

The version of the Application Links plugin used in Confluence before version 6.13.6, from version 6.14.0 before version 6.15.5, and from version 7.0.0 before 7.0.1 allows remote attackers to obtain information about configured application links via a missing permissions check. See...

4.3CVSS2.3AI score0.00915EPSS
Exploits0
Total number of security vulnerabilities4295