Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2008/03/10 4:58 a.m.28 views

XSS vulnerability in signup actions

Vulnerable URL's: - signup.action - dosignup.action on username, email, password, confirm, fullname...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/02/01 12:29 p.m.28 views

Project name that contains double-quote is not properly escaped on Issue Navigator page

If a project has a double-quote in its name, it's not xml-escaped when used in "title" attribute. For example, if we have a project named 14" monitors, the html will look like: 14" monitors This causes JIRA Client to hiccup on this page and lose a lot of functionality. On web browser, the title i...

1.6AI score
Exploits0
Atlassian
Atlassian
added 2007/10/16 1:27 a.m.28 views

DWR debug mode is enabled

This gives a potential attacker lots of information about available AJAX request handlers in Confluence...

4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2006/03/27 12:36 a.m.28 views

Support nested groups

panel:title=Resolved in Confluence 3.5|borderStyle=solid|borderColor=3C78B5|titleBGColor=3C78B5|bgColor=E7F4FA We are pleased to advise that support for nested groups is available in Confluence 3.5. You can find instructions on how to configure nested groups in our documentation: Configuring User...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2002/07/09 10:11 p.m.28 views

Login errors in 1.3

When logging in as our special user who is restricted to one certain project, I get this error message from secure/Dashboard.jspa java.lang.IllegalArgumentException: Source may not be null at webwork.util.SubsetIteratorFilter.setSourceSubsetIteratorFilter.java:33 at...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.27 views

File Inclusion in Jira Software Data Center

This High severity File Inclusion vulnerability was introduced in version 11.3.3 of Jira Software Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N allows an unauthenticated attacker to get...

8.2CVSS6.8AI score0.00253EPSS
Exploits4
Atlassian
Atlassian
added 2026/05/05 10:29 a.m.27 views

Injection in Confluence Data Center

This High severity Injection vulnerability was introduced in versions 8.9.0, 9.0.1, 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This Injection vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N...

7.5CVSS5.8AI score0.00498EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/14 10:29 p.m.27 views

HTTP Request Smuggling io.netty:netty-codec-http Dependency in Bamboo Data Center

This High severity HTTP Request Smuggling vulnerability was introduced in version 10.0.0, 10.1.0, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This HTTP Request Smuggling vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N allows ...

7.5CVSS5.8AI score0.0064EPSS
Exploits1
Atlassian
Atlassian
added 2025/11/14 6:28 a.m.27 views

RCE (Remote Code Execution) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2024-38999

note: This is a critical vulnerability in a non-Atlassian Bitbucket dependency. However, Atlassian’s application of the dependency presents a lower assessed risk, which is why we are disclosing this vulnerability in our monthly Security Bulletin instead of a Critical Security Advisory. This...

10CVSS6.8AI score0.00749EPSS
Exploits0
Atlassian
Atlassian
added 2025/06/10 3:48 a.m.27 views

DoS (Denial of Service) Third-Party Dependency in Jira Service Management Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 5.12.0, 10.2.0, 10.3.0, 10.4.0, 10.5.0, and 10.6.0 of Jira Service Management Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS8.7AI score0.66933EPSS
Exploits5
Atlassian
Atlassian
added 2024/11/05 7:11 p.m.27 views

DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Crowd Data Center and Server

This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 5.2.4 and 5.3.0 of Crowd Data Center and Server. This org.bouncycastle:bcprov-jdk18on Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.3AI score0.00753EPSS
Exploits0
Atlassian
Atlassian
added 2024/11/04 10:11 a.m.27 views

RCE (Remote Code Execution) org.apache.avro:avro Dependency in Bamboo Data Center and Server

This High severity org.apache.avro:avro Dependency vulnerability was introduced in versions 9.2.1, 9.6.0, and 10.0.0-rc3 of Bamboo Data Center and Server. This org.apache.avro:avro Dependency vulnerability, with a CVSS Score of 7.3 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L...

9.2CVSS7.8AI score0.03278EPSS
Exploits0
Atlassian
Atlassian
added 2024/10/23 4:58 a.m.27 views

DoS (Denial of Service) braces Dependency in Confluence Data Center

This High severity braces Dependency vulnerability was introduced in versions 7.11 of Confluence Data Center. This braces Dependency vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to...

7.5CVSS7.1AI score0.01471EPSS
Exploits1
Atlassian
Atlassian
added 2024/09/20 8:48 a.m.27 views

DoS (Denial of Service) decode-uri-component Dependency in Confluence Data Center

This High severity decode-uri-component Dependency vulnerability was introduced in version 7.0.1 of Confluence Data Center. This decode-uri-component Dependency vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to expose assets in your environment susceptible to...

7.5CVSS7.1AI score0.24928EPSS
Exploits1
Atlassian
Atlassian
added 2024/08/15 8:11 p.m.27 views

DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Confluence Data Center and Server

This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 3.7.0 of Confluence Data Center and Server. This org.bouncycastle:bcprov-jdk18on Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.5AI score0.011EPSS
Exploits0
Atlassian
Atlassian
added 2024/07/23 8:46 a.m.27 views

Bitbucket Datacenter REST API allows non-admin users to query all groups and members of the group

h3. Issue Summary Non-admin users any licensed user can query all the groups and members of the groups using the below API Groups API|https://developer.atlassian.com/server/bitbucket/rest/v819/api-group-permission-management/api-api-latest-admin-groups-get Group memberships...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/06/13 2:28 p.m.27 views

Smart commit action do not respect user permission for Comment actions

h3. Summary When executing a smart commit for adding a comment as per Processing issues with Smart Commits|https://confluence.atlassian.com/jirasoftwareserver0904/processing-issues-with-smart-commits-1188765783.html, it is not failing even if the user does not have permission for the requested...

6.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/05/15 12:36 p.m.27 views

Confluence System error page is displaying environment details.

h3. Issue Summary Confluence System error page is displaying environment details. This has been fixed as per https://jira.atlassian.com/browse/CONFSERVER-55306 but the issue still persists. This is reproducible on Data Center: yes h3. Steps to Reproduce Create a Confluence instance with version...

6.8AI score
Exploits0
Atlassian
Atlassian
added 2021/06/22 10:58 a.m.27 views

Plan managed by specs allows to modify artifact dependencies with UI

h3. Issue Summary RSS-managed plan should be in View mode for every tab and page. h3. Steps to Reproduce Create plan managed by RSS with artifact subscription settings Open Plan config page and visit artifacts tab of job Click Edit or Delete button of artifact subscription item h3. Expected Resul...

2AI score
Exploits0
Atlassian
Atlassian
added 2021/03/01 8:35 p.m.28 views

Blind SSRF in widgetConnector - CVE-2021-26072

Affected versions of Atlassian Confluence Server allow remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery SSRF vulnerability in the widgetconnector plugin. When running in an environment like Amazon EC2, this flaw may be used to access...

4.3CVSS4.5AI score0.38845EPSS
Exploits0
Atlassian
Atlassian
added 2020/12/10 2:10 a.m.27 views

Sending multiple concurrent file upload requests will permanently break a review - CVE-2020-29447

Affected versions of Atlassian Crucible allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in the file upload request feature of code reviews. The affected versions are before version 4.7.4, and from version 4.8.0 before 4.8.5. Affected...

4.3CVSS5.3AI score0.00991EPSS
Exploits0
Atlassian
Atlassian
added 2020/11/23 4:53 a.m.27 views

SQL Injection in Jira Software Server [Integration for HipChat]

Affected versions of Jira Server have a SQL injection vulnerability that has now been fixed by removing the vulnerable HipChat integration plugin. Affected versions: versions 8.14.0 Fixed versions: 8.14.0 The plugin is no longer installed in new versions of Jira. However, the removal of the plugi...

3.5AI score
Exploits0
Atlassian
Atlassian
added 2020/08/03 12:57 a.m.27 views

Information disclosure of repository HTTP password in logs - CVE-2017-18112

Affected versions of Atlassian FishEye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. Affected versions: version 4.8.3 Fixed versions: 4.8.3 4.9.0...

6.5CVSS6.1AI score0.01019EPSS
Exploits0
Atlassian
Atlassian
added 2020/07/28 6:27 p.m.27 views

Improve error handling in commits page and REST endpoint

Adding a trail "%27" at the commits page URL in Bitbucket causes the application to output the error below. !screenshot-1.png|thumbnail! This error is improper error handling as it shows the path to the git executable in the server as well as it exceeds the limits of the error page and does not...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/06/18 2:44 a.m.27 views

Denial of service in Dashboard & Gadgets - CVE-2020-14167

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in Dashboard & Gadgets. Affected versions: version 7.13.14 8.5.0 ≤ version 8.5.5 8.8.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9.1 Fixed...

7.5CVSS6.2AI score0.02129EPSS
Exploits0
Atlassian
Atlassian
added 2020/03/17 3:45 a.m.27 views

Improper Authorization in Applinks - CVE-2019-20105

The Application links plugin used in Atlassian Confluence Server and Data Center before version 6.13.11, and from version 6.14.0 before version 7.3.3 allows remote attackers with administrator privileges to edit existing applinks without passing WebSudo via an improper authorization check. See...

4.9CVSS5.2AI score0.01487EPSS
Exploits0
Atlassian
Atlassian
added 2019/07/11 12:57 p.m.27 views

Unable to secure remote agents via automatic keystore management

h3. Issue Summary It is not possible to secure the remote agents to connect to the Bamboo Server using SSL through the automatic keystore management feature. h3. Steps to Reproduce Configure Bamboo to use SSL in Broker URL and Broker Client URL Securing your remote...

0.8AI score
Exploits0
Atlassian
Atlassian
added 2018/12/07 5:49 p.m.27 views

Sessions never expire due to continuous XHR

Summary Sessions in Bamboo are supposed to have a default inactivity timeout of 30 minutes see https://confluence.atlassian.com/bamkb/how-to-change-bamboo-user-session-timeout-848977292.html, however regardless of which timeout period is set, sessions never time out if a user doesn't close their...

0.2AI score
Exploits0
Atlassian
Atlassian
added 2018/10/23 12:13 a.m.27 views

Open redirect in the XsrfErrorAction resource - CVE-2018-13401

The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0...

6.1CVSS4.3AI score0.01363EPSS
Exploits0
Atlassian
Atlassian
added 2018/03/14 1:19 p.m.27 views

Vulnerable javascript library: jQuery

Good morning. It has been brought to my attention that jQuery library has a vulnerability. In jQuery version before 1.9.0b1 selector interpreted as HTML. This could lead to potential vulnerabilities https://bugs.jquery.com/ticket/11290. Solution: jQuery version 1.9.0b1 has been released to addres...

0.8AI score
Exploits0
Atlassian
Atlassian
added 2018/03/08 9:8 a.m.27 views

Various resources included the current remote directory password in their responses - CVE-2016-10740

Various resources in Atlassian Crowd before before version 2.10.1 allow remote attackers with administration rights to learn the passwords of configured LDAP directories via examining the responses of various resources...

4.9CVSS4.6AI score0.01056EPSS
Exploits0
Atlassian
Atlassian
added 2017/12/12 8:33 a.m.27 views

REST endpoint user impersonation using authentication module functionality - CVE-2017-16858

The 'crowd-application' plugin module notably used by the Google Apps plugin in Atlassian Crowd from version 1.5.0 before version 3.1.2 allowed an attacker to impersonate a Crowd user in REST requests by being able to authenticate to a directory bound to an application using the feature. Given th...

6.8CVSS1.8AI score0.00576EPSS
Exploits0
Atlassian
Atlassian
added 2017/11/22 5:11 p.m.27 views

Repo password on display for the world to see.

I just noticed that my machine user name and password are on display above the commit dialog. Since this job site uses single sign on for everything, that's my username and password for the entire system here. I have three different repos loaded in Sourcetree. Because of single sign on, that is...

7.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/06/02 3:55 p.m.27 views

Bitdefender reported virus in Git LFS plugin

!Capture1.PNG!...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/04/20 3:45 p.m.27 views

REST API attachment request still works with wrong/expired cookie

h3. Summary If you perform a REST API attachment request using Cookie Based Authentication with wrong/expired cookie it will still return results with 200 status code. h3. Environment JIRA v1000.892.2 h3. Steps to Reproduce Use Cookie Based Authentication using a wrong/expired cookie Perform a RE...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/03/14 4:40 a.m.27 views

XSS Vulnerability in wiki markup

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-51825. panel Luke Jahnke of the Australia Post Digital Mailbox Security Team reported to Atlassian an XSS in nesting various...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/03/04 9:49 a.m.27 views

Lucene query checks plan permission against random plan

h1. Summary Bamboo runs permission validation against random plan when execute report h1. Details When execute report generator Bamboo checks if user has READ permission to plan. Sometimes it checks it against another plan User mode Create 2 plans Plan1 and Plan2 in same project. And execute them...

7.2AI score
Exploits0
Atlassian
Atlassian
added 2017/01/17 4:45 a.m.27 views

Shell Injection in SourceTree for Mac

SourceTree for Mac had a shell injection vulnerability starting with 1.9.8 prior to 2.3.1 the fixed version. By visiting a malicious website or by convincing a user to click a sourcetree:// URL with a vulnerable version of SourceTree for Mac installed an attacker could use a shell injection...

3.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/13 4:59 a.m.27 views

The Confluence Login page should not gives details of build version to unauthenticated users

The login page discloses detailed version information of the application to unauthenticated users. !screenshot-1.png|thumbnail! This information facilitates finding vulnerabilities for possible attackers suggestion: Remove the build number completely in the login page...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/08/02 3:31 p.m.27 views

JSON export doesn't differentiate public from internal comments

h4. +Summary+ Currently, when exporting a SD request to JSON format, it's not possible to tell which comment is internal or public from the JSON file. h4. +Steps to reproduce+ Go to Manage add-ons - All add-ons - jira-importers-plugin - Enable JSON export Create an SD request and add one internal...

6.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/10/21 5:33 p.m.27 views

Bad performance noticed on issues with long history

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-45903. panel Performing some testing with JIRA 6.4.5, I've noticed that there is a huge difference when logging work on an issue with no...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/07/02 3:27 a.m.27 views

xss by swf file

In confluence comment module user can embed swf file in their comment, confluence are using a atltoken parameter on GET HTTP request, if the attacker send the link of .swf file the value of src on embed tag to his victim the malicious .SWF won't execute on the victim's browser . We can bypass thi...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/06/08 11:4 a.m.27 views

"JIRA Project Releases" event should respect Project's permissions

Adding "JIRA Project Releases" event type to the Team calendar seems to NOT respect permissions from the project. It means even people that have no access to some project will see the release dates from the forbidden project. Expected behavior: Users should see only "JIRA Project Releases" from...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/05/25 10:28 a.m.27 views

JIRA HTTP Dump Recorded Credential information As Text

Example steps to reproduce: Example 1: enable HTTP Access Logging and the HTTP dump log Change Password in the atlassian-jira-http-dump.log , the user's credential will be in the log as text Example 2: enable HTTP Access Logging and the HTTP dump log exit Administrations menu/logout go to any...

0.1AI score
Exploits0
Atlassian
Atlassian
added 2015/03/30 7:14 a.m.27 views

Bundled Java Version Security Patches

At the moment, the bundled JAVA is version 1.7.015. The recent JAVA version is 1.7.72, which has many security patches http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html. Does the security vulnerabilities on bundled JAVA JRE something that we should be concerned about?...

1AI score
Exploits0
Atlassian
Atlassian
added 2015/03/10 3:44 p.m.27 views

Expired user in Active Directory do not stop user from cloning via SSH

User who is bind with a SSH key can still clone while their account has expired on the Active Directory. However, this user will not able to login to Stash. Another scenario on the same concept works where the user bind with the SSH key is disabled in AD and that user will not be able to clone or...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/01/13 9:50 a.m.27 views

User receiving notification from a restricted space

h6. Steps to replicate Download Confluence 5.5.2. Create an user "test". Create a group "testing". Add the user "test" into group "testing". Create a space name "Permission". Restrict the space to group "testing". Access Confluence as user "Test". Access the page name "Permission" and watch the...

1.1AI score
Exploits0
Atlassian
Atlassian
added 2014/08/28 1:0 a.m.27 views

Crowd gives more admin permissions than is apparent

When a crowd application has multiple directories added to it, and a group which is authorised to log into Crowd, all directories with that group are allowed to log in to crowd. However, the UI makes it seem as though only a group in the chosen directory is allowed to log in. Steps to reproduce:...

0.2AI score
Exploits0
Atlassian
Atlassian
added 2014/07/17 11:20 p.m.27 views

Specify logging level to Prevent Root DEBUG from Exposing Login

h3. Summary Setting root level DEBUG can expose login information username/pw when JIRA is connected to Crowd for user management, as it outputs the REST POST contents that are transmitted through the HttpClient. h3. Environment Crowd integrated with JIRA for user management. h3. Steps to Reprodu...

0.1AI score
Exploits0
Atlassian
Atlassian
added 2014/06/05 7:15 a.m.27 views

Domain restricted signup is creating enabled users on ApacheDS

When a user signs up to a Confluence instance that has domain restricted sign up enabled, they are normally created as disabled users and are unable to login. However, when the underlying user directory does not support disabling users, such as ApacheDS 1.5, then the user ends up being created as...

6.9AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295