Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2009/08/10 3:15 a.m.28 views

Update of jcaptcha

Update version of jcaptcha that we use...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/08/07 3:37 p.m.28 views

EPIC FAIL: new user signups result in plain text email with all login details

After signing up to a JIRA instance, I got an email which simply amazed me - it contained: My username My email address My full name My password It was all there, right before me, in a plain-text unencrypted email sent across a public network. WTF?! I'm not sure which universe that's considered a...

Exploits0
Atlassian
Atlassian
added 2009/05/20 6:5 p.m.28 views

CSRF attack message thrown when JSESSIONID is changed

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-15779. panel Symptoms: Anything that is using DWR will fail. Meaning: page editor is fully or partially unusable and it may...

Exploits0Affected Software1
Atlassian
Atlassian
added 2009/02/04 3:15 p.m.28 views

Email notifications for jiraissues macro reflect page owner permissions rather than permissions of notified user...

When a notification is sent out for a page that includes the \jiraissues\ macro, the list of issues is based on the page owner's permissions rather than the notified user's permissions. Here are the steps to reproduce: Set up the trust relationship between your JIRA and Confluence installs Create...

1AI score
Exploits0
Atlassian
Atlassian
added 2009/02/04 6:44 a.m.28 views

Fix header injection vulnerabilities

A number of vulnerabilities were found during JRA-16024 which expose JIRA to header injection attacks: Note that different application server configurations may expose or hide the presence of a header injection vulnerability. Standalone tomcat is usually not vulnerable. Tomcat 5.5.26 redirects al...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/17 5:0 a.m.28 views

XSS vulnerability in pagepicker.action and spacepagepicker.action

The following URL's are vulnerable: - /users/pagepicker.action - /users/spacepagepicker.action on formname, fieldname and currentspace panel:bgColor=99ff99 h4. Patch instructions for 2.6.x and 2.7.x 1. Shut down Confluence 2. Copy attached pagepicker.vm to confluence/users/ 3. Start up Confluence...

1.3AI score
Exploits0
Atlassian
Atlassian
added 2008/03/10 4:58 a.m.28 views

XSS vulnerability in signup actions

Vulnerable URL's: - signup.action - dosignup.action on username, email, password, confirm, fullname...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/02/01 12:29 p.m.28 views

Project name that contains double-quote is not properly escaped on Issue Navigator page

If a project has a double-quote in its name, it's not xml-escaped when used in "title" attribute. For example, if we have a project named 14" monitors, the html will look like: 14" monitors This causes JIRA Client to hiccup on this page and lose a lot of functionality. On web browser, the title i...

1.6AI score
Exploits0
Atlassian
Atlassian
added 2007/10/16 1:27 a.m.28 views

DWR debug mode is enabled

This gives a potential attacker lots of information about available AJAX request handlers in Confluence...

4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/09/13 8:15 a.m.28 views

XSS Bug in printable link display

A Cross sites scripting vulnerability exists in macro used to render the 'printable' link. Here is an exploit for the vulnerability that works https://servername/wiki/display/a/2007/09/%22%3E%3Cscript%3Ealert'Watchfire%20XSS%20Test%20Successful'%3C/script%3E Bug was found using APPScan...

6.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/03/15 10:8 p.m.28 views

Implement user lockout mechanism to stop bruteforce login attacks

Hacker can try as many time he wants to login JIRA. You can build client, which sends username+password combinations as many time as you like. .. and if you have username, it is much easier to get in. ---- Implementation ideas: 1 Lock user after sequential X incorrect logins - X can be set by...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2006/03/27 12:36 a.m.28 views

Support nested groups

panel:title=Resolved in Confluence 3.5|borderStyle=solid|borderColor=3C78B5|titleBGColor=3C78B5|bgColor=E7F4FA We are pleased to advise that support for nested groups is available in Confluence 3.5. You can find instructions on how to configure nested groups in our documentation: Configuring User...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2002/07/09 10:11 p.m.28 views

Login errors in 1.3

When logging in as our special user who is restricted to one certain project, I get this error message from secure/Dashboard.jspa java.lang.IllegalArgumentException: Source may not be null at webwork.util.SubsetIteratorFilter.setSourceSubsetIteratorFilter.java:33 at...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2002/05/22 12:31 p.m.28 views

Problem when signing up for new user Account from login page

I signed up for a new user account from the login page, filled in a username, password, name and e-mail. Then I tried to login with the new username and got this exception: java.lang.NullPointerException at com.opensymphony.module.user.User.getGroupsUser.java:94 at...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.27 views

File Inclusion in Jira Software Data Center

This High severity File Inclusion vulnerability was introduced in version 11.3.3 of Jira Software Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N allows an unauthenticated attacker to get...

8.2CVSS6.8AI score0.00253EPSS
Exploits4
Atlassian
Atlassian
added 2026/04/14 10:29 p.m.27 views

HTTP Request Smuggling io.netty:netty-codec-http Dependency in Bamboo Data Center

This High severity HTTP Request Smuggling vulnerability was introduced in version 10.0.0, 10.1.0, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This HTTP Request Smuggling vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N allows ...

7.5CVSS5.8AI score0.0064EPSS
Exploits1
Atlassian
Atlassian
added 2025/11/14 6:28 a.m.27 views

RCE (Remote Code Execution) Third-Party Dependency in Bitbucket Data Center and Server - CVE-2024-38999

note: This is a critical vulnerability in a non-Atlassian Bitbucket dependency. However, Atlassian’s application of the dependency presents a lower assessed risk, which is why we are disclosing this vulnerability in our monthly Security Bulletin instead of a Critical Security Advisory. This...

10CVSS6.8AI score0.00749EPSS
Exploits0
Atlassian
Atlassian
added 2025/01/14 8:14 a.m.27 views

DoS (Denial of Service) com.thoughtworks.xstream:xstream Dependency in Bitbucket Data Center and Server

This High severity com.thoughtworks.xstream:xstream Dependency vulnerability was introduced in versions 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0, 8.15.0, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, and 9.4.0 of Bitbucket Data Center and Server. This...

7.5CVSS7.6AI score0.02015EPSS
Exploits0
Atlassian
Atlassian
added 2024/10/16 8:11 p.m.27 views

DoS (Denial of Service) com.nimbusds:nimbus-jose-jwt Dependency in Confluence Data Center and Server

This High severity com.nimbusds:nimbus-jose-jwt Dependency vulnerability was introduced in versions 3.7 of Confluence Data Center and Server. This com.nimbusds:nimbus-jose-jwt Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allo...

7.5CVSS7AI score0.00814EPSS
Exploits0
Atlassian
Atlassian
added 2024/09/20 8:48 a.m.27 views

DoS (Denial of Service) decode-uri-component Dependency in Confluence Data Center

This High severity decode-uri-component Dependency vulnerability was introduced in version 7.0.1 of Confluence Data Center. This decode-uri-component Dependency vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to expose assets in your environment susceptible to...

7.5CVSS7.1AI score0.24928EPSS
Exploits1
Atlassian
Atlassian
added 2024/07/10 9:52 a.m.27 views

File Inclusion in Bamboo Data Center and Server

This High severity File Inclusion vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 of Bamboo Data Center and Server. This File Inclusion vulnerability, with a CVSS Score of 8.1, allows an authenticated attacker to get the application to display the...

8.1CVSS7.8AI score0.00746EPSS
Exploits0
Atlassian
Atlassian
added 2024/01/30 12:2 a.m.27 views

Injection Vulnerability in Assets Discovery

This High severity Injection vulnerability was introduced in Assets Discovery 1.0 - 6.2.0 all versions. h3. What is Assets Discovery Assets Discovery, which can be downloaded via Atlassian Marketplace, is a network scanning tool that can be used with or without an agent with Jira Service Manageme...

7.2CVSS6.9AI score0.00794EPSS
Exploits0
Atlassian
Atlassian
added 2023/06/13 2:28 p.m.27 views

Smart commit action do not respect user permission for Comment actions

h3. Summary When executing a smart commit for adding a comment as per Processing issues with Smart Commits|https://confluence.atlassian.com/jirasoftwareserver0904/processing-issues-with-smart-commits-1188765783.html, it is not failing even if the user does not have permission for the requested...

6.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/05/15 12:36 p.m.27 views

Confluence System error page is displaying environment details.

h3. Issue Summary Confluence System error page is displaying environment details. This has been fixed as per https://jira.atlassian.com/browse/CONFSERVER-55306 but the issue still persists. This is reproducible on Data Center: yes h3. Steps to Reproduce Create a Confluence instance with version...

6.8AI score
Exploits0
Atlassian
Atlassian
added 2021/11/02 9:56 a.m.27 views

Upgrade Confluence to latest Adopt OpenJDK versions 11.0.13

h3. Issue Summary Upgrade Confluence to latest Adopt OpenJDK versions 11.0.13...

3.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/06/22 10:58 a.m.27 views

Plan managed by specs allows to modify artifact dependencies with UI

h3. Issue Summary RSS-managed plan should be in View mode for every tab and page. h3. Steps to Reproduce Create plan managed by RSS with artifact subscription settings Open Plan config page and visit artifacts tab of job Click Edit or Delete button of artifact subscription item h3. Expected Resul...

2AI score
Exploits0
Atlassian
Atlassian
added 2021/03/01 8:35 p.m.28 views

Blind SSRF in widgetConnector - CVE-2021-26072

Affected versions of Atlassian Confluence Server allow remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery SSRF vulnerability in the widgetconnector plugin. When running in an environment like Amazon EC2, this flaw may be used to access...

4.3CVSS4.5AI score0.38845EPSS
Exploits0
Atlassian
Atlassian
added 2020/11/23 4:53 a.m.27 views

SQL Injection in Jira Software Server [Integration for HipChat]

Affected versions of Jira Server have a SQL injection vulnerability that has now been fixed by removing the vulnerable HipChat integration plugin. Affected versions: versions 8.14.0 Fixed versions: 8.14.0 The plugin is no longer installed in new versions of Jira. However, the removal of the plugi...

3.5AI score
Exploits0
Atlassian
Atlassian
added 2020/08/03 12:57 a.m.27 views

Information disclosure of repository HTTP password in logs - CVE-2017-18112

Affected versions of Atlassian FishEye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. Affected versions: version 4.8.3 Fixed versions: 4.8.3 4.9.0...

6.5CVSS6.1AI score0.01019EPSS
Exploits0
Atlassian
Atlassian
added 2020/07/28 6:27 p.m.27 views

Improve error handling in commits page and REST endpoint

Adding a trail "%27" at the commits page URL in Bitbucket causes the application to output the error below. !screenshot-1.png|thumbnail! This error is improper error handling as it shows the path to the git executable in the server as well as it exceeds the limits of the error page and does not...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/06/18 2:44 a.m.27 views

Denial of service in Dashboard & Gadgets - CVE-2020-14167

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service DoS vulnerability in Dashboard & Gadgets. Affected versions: version 7.13.14 8.5.0 ≤ version 8.5.5 8.8.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9.1 Fixed...

7.5CVSS6.2AI score0.02129EPSS
Exploits0
Atlassian
Atlassian
added 2020/03/17 3:45 a.m.27 views

Improper Authorization in Applinks - CVE-2019-20105

The Application links plugin used in Atlassian Confluence Server and Data Center before version 6.13.11, and from version 6.14.0 before version 7.3.3 allows remote attackers with administrator privileges to edit existing applinks without passing WebSudo via an improper authorization check. See...

4.9CVSS5.2AI score0.01487EPSS
Exploits0
Atlassian
Atlassian
added 2019/02/21 3:25 a.m.27 views

Sending a specific stream of data on the Hazelcast 5701 port can lead to Bitbucket being unavailable

h3. Issue Summary Specific data streams can cause Bitbucket nodes to become unresponsive. The following can be found in the logs: noformat WARN hz.hazelcast.IO.thread-Acceptor c.h.nio.tcp.SocketAcceptorThread :5701 3.7.4-atlassian-43 java.io.UTFDataFormatException: Rejecting request to read...

1.4AI score
Exploits0
Atlassian
Atlassian
added 2018/12/07 5:49 p.m.27 views

Sessions never expire due to continuous XHR

Summary Sessions in Bamboo are supposed to have a default inactivity timeout of 30 minutes see https://confluence.atlassian.com/bamkb/how-to-change-bamboo-user-session-timeout-848977292.html, however regardless of which timeout period is set, sessions never time out if a user doesn't close their...

0.2AI score
Exploits0
Atlassian
Atlassian
added 2018/03/08 9:8 a.m.27 views

Various resources included the current remote directory password in their responses - CVE-2016-10740

Various resources in Atlassian Crowd before before version 2.10.1 allow remote attackers with administration rights to learn the passwords of configured LDAP directories via examining the responses of various resources...

4.9CVSS4.6AI score0.01056EPSS
Exploits0
Atlassian
Atlassian
added 2018/02/05 4:40 p.m.27 views

Nested groups with uppercase letters cannot be removed from Confluence, after having been synced initially

h3. Summary Nested groups with uppercase letters cannot be removed from Confluence, after having been synced initially. If you synchronize nested groups with upper case letters into Confluence from Crowd / LDAP, and then update the external directory to remove the child groups, the groups will no...

2AI score
Exploits0
Atlassian
Atlassian
added 2017/12/12 8:33 a.m.27 views

REST endpoint user impersonation using authentication module functionality - CVE-2017-16858

The 'crowd-application' plugin module notably used by the Google Apps plugin in Atlassian Crowd from version 1.5.0 before version 3.1.2 allowed an attacker to impersonate a Crowd user in REST requests by being able to authenticate to a directory bound to an application using the feature. Given th...

6.8CVSS1.8AI score0.00576EPSS
Exploits0
Atlassian
Atlassian
added 2017/11/22 5:11 p.m.27 views

Repo password on display for the world to see.

I just noticed that my machine user name and password are on display above the commit dialog. Since this job site uses single sign on for everything, that's my username and password for the entire system here. I have three different repos loaded in Sourcetree. Because of single sign on, that is...

7.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/10/17 2:8 p.m.27 views

Contributors Summary Macro Shows Data to Anonymous Users

h2. Steps to reproduce In Global Permission, ensure Anonymous users "Can Use" Confluence Create new Space , eg: SpaceA Go To Space Tools Permissions Edit Permission Ensure Anonymous Users has "View" Permission Create a few test pages in SpaceA Then, create a page containing both Contributors Macr...

4AI score
Exploits0
Atlassian
Atlassian
added 2017/06/02 3:55 p.m.27 views

Bitdefender reported virus in Git LFS plugin

!Capture1.PNG!...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/17 4:45 a.m.27 views

Shell Injection in SourceTree for Mac

SourceTree for Mac had a shell injection vulnerability starting with 1.9.8 prior to 2.3.1 the fixed version. By visiting a malicious website or by convincing a user to click a sourcetree:// URL with a vulnerable version of SourceTree for Mac installed an attacker could use a shell injection...

3.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/13 4:59 a.m.27 views

The Confluence Login page should not gives details of build version to unauthenticated users

The login page discloses detailed version information of the application to unauthenticated users. !screenshot-1.png|thumbnail! This information facilitates finding vulnerabilities for possible attackers suggestion: Remove the build number completely in the login page...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/08/02 3:31 p.m.27 views

JSON export doesn't differentiate public from internal comments

h4. +Summary+ Currently, when exporting a SD request to JSON format, it's not possible to tell which comment is internal or public from the JSON file. h4. +Steps to reproduce+ Go to Manage add-ons - All add-ons - jira-importers-plugin - Enable JSON export Create an SD request and add one internal...

6.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/03/02 10:0 p.m.27 views

Enabling SSL Broker for Remote Agents breaks Elastic Agent connectivity

h3. Summary When enabling SSL connectivity for remote agents by changing the Broker URL and Broker Client URL protocols from tcp:// to ssl://, elastic agents are no longer able to connect h3. Steps to Reproduce Start an Elastic Agent and run a test build to confirm Elastic Agents are connecting...

1.5AI score
Exploits0
Atlassian
Atlassian
added 2016/01/07 11:25 a.m.27 views

One FishEye admin can get access to repository password provided by another admin

It was possible to retrieve the repository passwords provided by another administrator via web browser session. It was fixed now, so password can still be changed or unset if necessary, but it is not possible to read its contents...

3.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/07/02 3:27 a.m.27 views

xss by swf file

In confluence comment module user can embed swf file in their comment, confluence are using a atltoken parameter on GET HTTP request, if the attacker send the link of .swf file the value of src on embed tag to his victim the malicious .SWF won't execute on the victim's browser . We can bypass thi...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/06/08 11:4 a.m.27 views

"JIRA Project Releases" event should respect Project's permissions

Adding "JIRA Project Releases" event type to the Team calendar seems to NOT respect permissions from the project. It means even people that have no access to some project will see the release dates from the forbidden project. Expected behavior: Users should see only "JIRA Project Releases" from...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/05/25 10:28 a.m.27 views

JIRA HTTP Dump Recorded Credential information As Text

Example steps to reproduce: Example 1: enable HTTP Access Logging and the HTTP dump log Change Password in the atlassian-jira-http-dump.log , the user's credential will be in the log as text Example 2: enable HTTP Access Logging and the HTTP dump log exit Administrations menu/logout go to any...

0.1AI score
Exploits0
Atlassian
Atlassian
added 2015/05/25 10:28 a.m.27 views

JIRA HTTP Dump Recorded Credential information As Text

Example steps to reproduce: Example 1: enable HTTP Access Logging and the HTTP dump log Change Password in the atlassian-jira-http-dump.log , the user's credential will be in the log as text Example 2: enable HTTP Access Logging and the HTTP dump log exit Administrations menu/logout go to any...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/02/26 1:52 p.m.27 views

Member of confluence-administrators group able to see restricted page in pagetree, quick search and navigation panel

Bug Background Confluence super-users or member of confluence-administrators group should be able to access any content in Confluence including restricted content as long as it have the direct URL to access as describe in our documentation...

0.7AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295