4295 matches found
Putting a word in quotes and having the > character in the summary allows scripts to execute
h3. Issue Summary If you have a summary with a word in double quotes, similar to "Something" and have the character. Then you can execute actions through tags in the summary This is reproducible on Data Center: Yes h3. Steps to Reproduce This can be reproduced when editing and creating an issue...
Template Injection in Email Templates leads to RCE on Jira Service Management Server
Affected versions of Atlassian Jira Service Management Server and Data Center allows JIRA Administrators to execute arbitrary system commands via a template injection in the endpoint /admin/EmailTemplatesSettings!default.jspa. The affected versions are before version 8.13.19, from version 8.14.0...
Admin user can toggle JMX monitoring without WebSudo validation
Affected versions of Atlassian Jira Server and Data Center allow attackers with administrator privileges to bypass WebSudo validation in order to toggle JMX monitoring, via a Broken Access Control vulnerability in the JmxMonitoringAction.jspa endpoint. The affected versions are before version...
Bitbucket XSS, privilege escalation from "Project Creator" to "System admin" on project deletion
This vulnerability affects certain versions of Atlassian Dev Tools. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent...
About Jira page can be accessed anonymously
h3. Issue Summary "About Jira" page can be accessed anonymously. This can expose the Jira application versions. Some customers might want to prevent this information from being available as it could be used to target other vulnerabilities specific to the version. h3. Steps to Reproduce Access...
Information disclosure of project key existence vulnerability in Jira - CVE-2019-20403
The API in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to determine if a Jira project key exists or not via an information disclosure vulnerability...
Information disclosure in the listEntityLinks servlet resource of the Application links plugin - CVE-2019-15011
The version of the Application Links plugin used in Jira before version 8.4.2 allows remote attackers to obtain information about configured application links via a missing permissions check. See https://ecosystem.atlassian.net/browse/APL-1386 for more details...
Improper authorization vulnerability in the /json/profile/removeStarAjax.do resource - CVE-2019-15009
The /json/profile/removeStarAjax.do resource in Atlassian Crucible before version 4.8.0 allows remote attackers to remove another user's favourite setting for a project via an improper authorization vulnerability...
XSS in the /plugins/servlet/branchreview resource through the reviewedBranch parameter - CVE-2019-15008
The /plugins/servlet/branchreview resource in Atlassian Fisheye before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the reviewedBranch parameter...
Disabling SAML override in Confluence Data Center doesn't work
h3. Issue Summary Disabling SAML override in Confluence DC, to ensure no users can log in to Confluence via SAML/SSO only, still allows users to use default login URL and access the instance with local credentials. h3. Steps to Reproduce Configure Confluence DC with SAML/SSO steps not covered her...
commons-beanutils - Authorization Bypass in confserver/confluence-frontend-plugins (master)
h1. Authorization Bypass in confserver/confluence-frontend-plugins master| h4. Issue Details Vulnerability: Authorization Bypass Severity: color:f9423aHighcolor Project: confserver/confluence-frontend-plugins Branch: master Scan Date: Unknown h4. Issue Description commons-beanutils2 is vulnerable...
The version of moment.js used in Jira Service Desk was vulnerable to a regular expression denial of service
The version of moment.js used in Jira Service Desk Server before version 4.0.0 allows remote attackers to cause a denial of service in user's browsers via a regular expression denial of service. For additional details...
Insufficient Session Expiration of user sessions - CVE-2018-20238
Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability...
Crowd silently ignores changes to active status of users in Azure AD.
When Crowd synchronises users for the very first time from Azure AD it will recognise "active" state of users correctly. Unfortunately, on next synchronisations Crowd ignores changes to these statuses, so once they are set, they will never change...
Deprecate support for authenticating using os_username, os_password as url query parameters
h4. Problem Support for using osusername and ospassword to authenticate when used as url query parameters has been deprecated in Jira 8.0.0. It is possible to disable support for osusername & ospassword as url query parameters for authentication by setting allowUrlParameterValue to false in...
XSS in various types of nested wiki markup - CVE-2017-18102
The wiki markup component of atlassian-renderer from version 8.0.0 before version 8.0.22 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in nested wiki markup...
REST API - Improved HTTP Authentication
h4. Suggestion Description Confluence Server REST API|https://developer.atlassian.com/confdev/confluence-server-rest-api is a simple resource that help administrators to perform operations that would take some time of their day to day activities in a couple seconds, instead of a couple minutes. I...
JQuery Update to the latest version
h3. Definition JQuery is currently at version 1.7.2 where it contains 1 medium security vulnerability. h3. Suggestion To update the JQuery version that does not have a vulnerability threat...
Repo password on display for the world to see.
I just noticed that my machine user name and password are on display above the commit dialog. Since this job site uses single sign on for everything, that's my username and password for the entire system here. I have three different repos loaded in Sourcetree. Because of single sign on, that is...
Contributors Summary Macro Shows Data to Anonymous Users
h2. Steps to reproduce In Global Permission, ensure Anonymous users "Can Use" Confluence Create new Space , eg: SpaceA Go To Space Tools Permissions Edit Permission Ensure Anonymous Users has "View" Permission Create a few test pages in SpaceA Then, create a page containing both Contributors Macr...
Email address is not validated when updating user profile
On the view profile page /secure/ViewProfile.jspa it's possible to update your user profile /secure/EditProfile!default.jspa?username=admin to an invalid email address. See attached screenshots. !Screen Shot 2017-09-28 at 2.49.48 PM.png|thumbnail! !Screen Shot 2017-09-28 at 2.49.58...
XSS on Delete Webhook
It was possible for users with JIRA administrator rights to perform an XSS attack through convincing another user, potentially a user with system administrators rights, to delete a specific webhook...
Empty REST API result return for User without Browse Users permission
h3. Summary User A who do not have permission to Browse Users but have Administrator and/or System Administrator will have REST API result return empty. As an example of the json data return: code:borderStyle=dashed code h3. Steps to Reproduce Create User A Gives User A permission to Administrato...
CVE-2016-4321: XSS in moving User Repos
There was a XSS, which required user interaction, when moving user repositories...
Enabling SSL Broker for Remote Agents breaks Elastic Agent connectivity
h3. Summary When enabling SSL connectivity for remote agents by changing the Broker URL and Broker Client URL protocols from tcp:// to ssl://, elastic agents are no longer able to connect h3. Steps to Reproduce Start an Elastic Agent and run a test build to confirm Elastic Agents are connecting...
Upgrade to version 3.2.2 of apache commons-collections
quote This v3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for...
Upgrade to version 3.2.2 of apache commons-collections
quote This v3.2.2 release is a bugfix release, fixing several bugs present in the previous releases of the 3.2 branch. Additionally, this release provides a mitigation for a known remote code exploitation via the standard java object serialization mechanism. By default, serialization support for...
XSRF check failure when trying to add a logo to a topic
h3. Steps to reproduce Create a topic in Confluence Questions. Select an image as a logo. Click Done. h3. Expected results The topic is created with the chosen logo. h3. Actual results The topic is created, but with the default tag logo. h3. Notes The same thing occurs when trying to add a logo t...
Cross-Site Scripting in subscribetocalendar.action
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-48910. panel The contents of the 'subCalendarId' parameter is not validated in POST requests to 'subscribetocalendar.action' and...
XSS in JIRA via PDF attachment
PDF attachments are considered active content and can be used to xss users...
Modernize Confluence Backup & Restore
As a User in all possible roles in order to save time & money and prevent unintended problems caused by the current implementation I want to have a modernized version of Backup & Restore from now on BR in Confluence. Acceptance criteria BR is GUI based BR functionality is integrated in GUI where ...
Restricted Question topic can be seen by restricted users
Bug Description As describe in a new feature available for Confluence questions: quote Use your existing space permissions - only people who can view the space can search for and see questions that were asked there.quote This will cause misunderstanding as users might think that Questions topics...
Log forging vulnerability
It is possible to fake log entries in FishEye/Crucible logs, by sending specially crafted http requests containing a newline character. For example going to the url /changelog/asd%0AFake%20log%20entry will cause the following to be logged: code 2015-03-24 09:59:09,564 INFO qtp1610928748-315 fishe...
Restricted blog post visible in the month summary page
Steps to reproduce: 1. create a new blog post, and restrict it to yourself 2. log in as another user and go to Blogs in sidebar 3. blog is not visible in the blogs summary page 4. click a visible blog in the same month 5. click the month link in the breadcrumb 5. restricted blog title and excerpt...
Confluence Security Settings not respected by Confluence Questions
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-47587. panel Hi Atlassian team, in our Confluence configuration we set "User email visibility" to "only visible to site...
UserPreferencesResource accepts form encoded data, is vulnerable to XSRF attacks
UserPreferencesResource exposes all data stored in a UserPreferences object, and allows updating it via a POST. This vulnerability needs to be closed before the next deployment...
Information disclosure in the REST API
Jira reports the 404 not-found earlier than the 401 not-authorized. This discloses the non-existence of a specific issue numbers to unauthorized users. While this isn't a huge leak, this could come in useful with social engineering. Proof of concept: Both of the calls below are unauthenticated, a...
Answers is vulnerable to BREACH (SSL/HTTP gzip) attack
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47215. panel This is an external report, and not a high priority - certainly much lower impact than ANSWERS-648. This issue was...
Answers is vulnerable to BREACH (SSL/HTTP gzip) attack
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47215. panel This is an external report, and not a high priority - certainly much lower impact than ANSWERS-648. This issue was...
XSRF Protection Disables Basic URL Rest Authorization
According to this REST page: https://developer.atlassian.com/display/BAMBOODEV/Using+the+Bamboo+REST+APIs You should be able to login to REST via a URL request by using the following scheme: "http://host:8085/rest/api/latest/plan?osauthType=basic&osusername=&ospassword=" This worked fine for us...
Bamboo exposes username and password if Git checkout fails.
If the repository checkout fails, the username and password are exposed in plain text on the web interface and in the logs. To reproduce: Environment: on-demand instance version 5.2-OD-4, Build 4004 Create a plan that checks out a git repository using https with authentication. Run plan Do...
Password displayed in clear text when logging in to a websudo session that has expired
When entering the username/password in the websudo dialog after the user session has expired, JIRA displays all submitted values, including the password in clear text. This is a breach in security; the password should never be displayed in clear text on a web page...
Unauthenticated enumeration of resource information via tinymce plugin
It is possible for unauthenticated users to retrieve a large amount of information from a Confluence instance, including page titles, attachment filenames, and username, by making calls to the link REST API in the confluence-tinymce-plugin. This is effective even when the anonymous user does not...
getRedirect in JiraWebActionSupport redirects to unsafe URLs by default
In jira-components/jira-api/src/main/java/com/atlassian/jira/web/action/JiraWebActionSupport.java the following code is found: code:java / Redirects to the value of @code getReturnUrl, falling back to @code defaultUrl if the @code returnUrl is not set. This method clears the @code returnUrl. If...
Moving pages around spaces using HTTP get without XSRF token
Seems like you can easily move pages around spaces by just hitting the movepage action using GET, like this: http://localhost:8080/confluence/pages/movepage.action?pageId=787055&position=topLevel&spaceKey=S2 Malicious example of how to exploit this in an email message: after opening the email, th...
Moving pages around spaces using HTTP get without XSRF token
Seems like you can easily move pages around spaces by just hitting the movepage action using GET, like this: http://localhost:8080/confluence/pages/movepage.action?pageId=787055&position=topLevel&spaceKey=S2 Malicious example of how to exploit this in an email message: after opening the email, th...
CSRF in doremoveblogpost.action
Any page can be deleted if a user with sufficient privileges to delete the page clicks an attacker controlled link, or views an image at an attack controller URL. /pages/doremoveblogpost.action?pageId=...
Crowd OpenID server does not enforce profile ownership for viewing
Similar to CWD-3465, it seems that not enforce profile ownership for viewing. That is, a non-admin user called Mallory can view Alice's profile information if Mallory obtains Alice's profileId number. For example, https://openid.atlassian.com/secure/profile/editprofiles.action?profileID=15240744...
Agile board "Add Status" button is not available unless you are member of jira-administrators
As a project administrator or board owner I need to be able to be able to add/remove Statused by using the "Add Status" button from the board Configuration window. Currently this button does appear only for jira-administrators...
UI Redressing (Clickjacking)
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-29230. panel Confluence is vulnerable to Clickjacking|https://en.wikipedia.org/wiki/Clickjacking. That is, it is possible to fra...