4295 matches found
Enabling the XSRF in Bamboo cause the integration with JIRA 6.1.5 to break
Steps to reproduce: install JIRA 6.1.5 install Bamboo 5.3. Make sure the "Enable XSRF protection" is enabled via Bamboo Admin Security Security Settings integrate JIRA with Bamboo using Oauth authentication OR Basic Access OR Trusted Application in the JIRA UI, it will shows that JIRA can't conne...
The color of the issue security field should be configureable or black
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-36126. panel The color of the issue secuity field is red. Why? The color should be configureable or black, like other fields. I have already...
JIRA Workflow Step Property jira.permission.browse allows you to view issues in issue navigator
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-35917. panel h3. Summary The JIRA Workflow Step Property jira.permission.browse does not prevent you to view issues in issue navigator. h3...
Unauthenticated enumeration of resource information via tinymce plugin
It is possible for unauthenticated users to retrieve a large amount of information from a Confluence instance, including page titles, attachment filenames, and username, by making calls to the link REST API in the confluence-tinymce-plugin. This is effective even when the anonymous user does not...
Default application configuration files are available for download
h3. Summary of The Bug By browsing to the following URL path user would be able to download any files under /confluence/WEB-INF/... code/s/1519/3/1.0//WEB-INF/...code The above URL will be accessible by any users including anonymous even to an instance that does not allow anonymous access h5. Not...
Arbitrary file creation in AbstractRendererExporterImpl
To reproduce: 1. Create a new space. 2. Create a new page. 3. Attach a file called test.txt to the page. 3. Edit the page, and add an image with the URL: code /confluence/s/download/attachments/pageid//../../../../../../../../../../../../tmp/test.txt code \pageid\ must be replaced with the actual...
Reflected XSS in 'where' param of doSearchSite
Olivier Beg reported quote noformathttps://confluence.atlassian.com/dosearchsite.action?queryString=%22%3E&startIndex=0&lastModified=LASTWEEK&where=confall%22%3E%3Cimg%20src=x%20onerror=alert1%3Enoformat I asume he is DOM based because he works in google chrome. quote This results in code:html co...
Some of the REST resources in Navigator plugin are susceptible to XSRF attacks
Most of the REST resources in the Navigator plugin accept "x-www-form-urlencoded" bodies but do not check for an XSRF token when making mutative changes. For example: SaveFilterResource: Allow XSRF attack to change user's filter. SuppressedTipsResource UserSearchModeResource...
Reflected XSS in JIRA Admin Panel (Delete User)
The 'name' param in jira-components/jira-webapp/src/main/webapp/secure/admin/user/views/deleteuserconfirm.jsp is not sanitised, enabling arbitrary html/script execution. A url to demonstrate this issue is:...
JSON-RPC API functions available anonymously even though anonymous API access is disabled.
The summary says it all really. The functions listed below can be used on our confluence service even though we have Anonymous API Access disabled check box not checked in admin control panel. This is an issue when it comes to confluence sites that have sensitive user or group information...
Security enhancement: do not allow POST parameters to be used in GETs
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-32076. panel My company's security team ran a vulnerability scan against our JIRA and found this issue. They advised me to bring it to your...
Default application configuration files are available for download
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-27693. panel h3. Summary of The Bug By browsing to the following URL path user would be able to download any files under...
Reflected xss in the jira-gadgets-plugin getLabelGroups rest resource
The jira-gadgets-plugin LabelsResource class exposes a getLabelGroups rest resource that is vulnerable to reflected xss through the user supplied 'project' path parameter. The vulnerability is caused by building an error response message with a content type of text/html and not html encoding the...
persistent xss in a user's username within mentions within comments
A user's username is injected into the "rel" attribute of the user mention link without being encoded properly. This means that if the username contains a " character then new attributes can be injected into the user mention link element. Hence, providing a persistent xss vector. To reproduce thi...
SQL injection in DefaultReferralManager
In confluence-core/confluence/src/java/com/atlassian/confluence/links/DefaultReferralManager.java the DefaultReferralManager class the deleteReferrersWithPrefix method is vulnerable to sql injection through the user controlled 'prefix' parameter. It is possible to exploit this issue as an Admin...
ldap injection in the custom atlassian authentication code
The custom atlassian ldap authentication code is vulnerable to ldap injection. The method which is vulnerable to ldap injection is the searchUser method, where the 'filter' parameter third argument to the searchs ldap method is passed through without using ldap.filter on it first. The code should...
Potential remote code execution due to embedding of old django-piston
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46819. panel The exposed atlassian api for forummodules found under forummodules/atlassian/api uses an outdated version of...
Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match
h5. Note - as of Confluence 5.1.3 you can make an SSL LDAP connection that doesn't verify that the hostname and certificate match by unchecking this box when configuring your user directory: !Screen Shot 2013-04-16 at 3.10.37 PM.png! ---- h5. Original issue description Starting Confluence 4.2, th...
XSS vulnerability in Office Connector plugin
From: OFFCONN-81: Using "office excel"-macro as part of viewfile, which is part of office connector plugin seems to open up the possibility to get injected with XSS-code. Steps to reproduce: 1. Create an excel-file with following content in one cell: code '"alert'XSS' code 2. Attach this file to ...
persistent xss through svg file attachment download
The fix for CONF-22132 was not sufficient because "svg" files are not "said" to be xml by the isXml method. This means that is possible for a malicious party to upload a svg file containing html/javascript which will be rendered in victim's web browser. This bug should have been raised a while ag...
The "user" Dark Features page is vulnerable to XSRF/csrf
The "User Dark Features" page located at $host/secure/ViewProfile.jspa?selectedTab=jira.user.profile.panels:up-darkfeatures-panel allows users to add dark features which only affect themselves. However, it is not protected against XSRF attacks. Note: the 'value' of dark features is not properly...
Improve the default SSL cipherset in standalone JIRA setup
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-27681. panel We are concerned about 'SSL Weak Cipher Suites Supported' and 'SSL Medium Strength Cipher Suites Suppored'. Any suggestions woul...
Provide an abstract Seraph authenticator for SSO authenticators to subclass that reduces the plumbing code required to interact with Embedded Crowd
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-24358. panel This is currently the most comprehensive version I have so far compiled of the code a custom SSO authenticator for...
XSS vulnerability in /agent/configureAgents resource
We have identified and fixed a reflected cross-site scripting XSS vulnerability in the Bamboo configureAgents resource. This issue is reported in our security advisory on this page: https://confluence.atlassian.com/x/rQP5FQ You can read more about XSS attacks at:...
XSS vulnerability in /agent/viewAgent.action resource
We have identified and fixed a reflected cross-site scripting XSS vulnerability in the Bamboo viewAgent.action resource. This issue is reported in our security advisory on this page: https://confluence.atlassian.com/x/rQP5FQ You can read more about XSS attacks at:...
XSS vulnerability in default 'internal server error' page
We have identified and fixed a reflected cross-site scripting XSS vulnerability in the Bamboo default 'internal server error' page. This issue is reported in our security advisory on this page: https://confluence.atlassian.com/x/rQP5FQ You can read more about XSS attacks at:...
Better error message when viewing an embedded calendar as an unprivileged user
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-51101. panel On our site's dashboard I have a calendar macro defined as:...
Web Sudo should be able to be subverted for non browsers (eg scripts) via a HTTP header
We do this for XSRF protection. Basically you should be able to subvert the web sudo mechanism via a HTTP header. This posts shows the use case https://answers.atlassian.com/questions/1273/jira-jelly-runner-via-cron-in-v4-3-4 I believe it just as secure since web sudo is really design to stop som...
Cross-Site Request Forgery
Cross-Site Request Forgery Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to Cross-Site Request Forgery attacks within this URL: /jira/plugins/servlet/streamscomments This vulnerability enables...
XSS vulnerability in doeditmysettings.action
This vulnerability affects all versions from 3.5 and above. We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence settings editing action. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more...
XSS vulnerability in login.action
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence login action. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...
XSRF token broken when you edit an Issue Type Scheme
If you click the Edit link beside the currently selected Issue Type Scheme on a Project Summary page and then click Save on the next screen you get an XSRF token missing error...
XSS vulnerability in space key, particularly with decorators off
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-20865. panel As discovered while looking at CONF-20667, Confluence stores the space key unencoded in a content tag. Considerable...
Can not UPDATE the "Viewable By" field of an issue
After the creation of an issue it is by default viewable by "All Users". It is not possible to change the value after re-editing that issue. After changing it and clicking the "Update" button, the viewable by entry stays "All Users"...
XSS in page renderer
An XSS vulnerability has been identified in the page renderer. This issue provides a fix for this problem. The severity of this issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for other security related issues as well as more information on how we rate issues...
Put a new security log into JIRA so that important events can be specifically logged
The idea is to have a specific atlassian-jira-security.log that contains important events such as user logged in, logged out, session created and so on. This would allow for more specific information about how is logged into JIRA and when. This has been mooted for a while and is now being done in...
The list of Confluence administrators is accessible via a URL
Confluence exposes a list of the administrators. This issue corrects this by removing the list and providing the user with a form that can be used to send e-mail to all the relevant administrators on the user's behalf...
XSS Bookmark vulnerabilities
The Add bookmark page is vulnerable to XSS attacks...
The current CAPTCHA implementation may not be secure
The current CAPTCHA implementation displays a different message if the CAPTCHA is being displayed and the captcha is entered correctly but the password for the user is not, than if the CAPTCHA is entered incorrectly. This is giving away more information than a login screen should. The error messa...
Signing in with username with different case creates new user
We currently utilize LDAP for our user repository and allow users to be automatically added to crucible if they can successfully authenticate. We have recently received complaints from users that their names were showing up two times in reviews. After some analysis we saw that there were 2...
autocomplete box in page restrictions finds deleted users, wrong usernames
We recently migrated our user management from JIRA to Crowd, our Confluence instance used to link to JIRA for authentication, and now links to Crowd. We now found that, when editing the restrictions on individual pages, the autocomplete feature in that dialog acts strange: Users that have been...
Confluence users should inherit permissions from the anonymous user
This has been derived from CONF-4955|http://jira.atlassian.com/browse/CONF-4955. The above seems to have been fixed for registered groups only, not individual users who do not belong to any groups in Confluence, but have "Can Use" permission. If a user is a member of a specific group, the anonymo...
Links from indexbrowser.jsp are vulnerable to XSS attacks
CONF-16888 has introduced or re-introduced an XSS vulnerability. To reproduce: Create a new user, and for the Full Name use: noformatalert'Vulnerable'noformat Go to ../admin/indexbrowser.jsp and find the entry Click on the entry, and the script is executed. This also happens for other content typ...
Links from indexbrowser.jsp are vulnerable to XSS attacks
CONF-16888 has introduced or re-introduced an XSS vulnerability. To reproduce: Create a new user, and for the Full Name use: noformatalert'Vulnerable'noformat Go to ../admin/indexbrowser.jsp and find the entry Click on the entry, and the script is executed. This also happens for other content typ...
Directory traversal in Profile Picture path - leads to privilege escalation in < 3.0
Confluence allows its users to specify a "Profile Picture," an image that appears on many pages related to the user. A user can either upload a custom image, or select one from a set provided by Confluence. Confluence uses the /users/doeditmyprofilepicture.action path to process requests to chang...
XSS in concurrent edit notification
If a page is being editted by noformat alert'hacked' noformat and another user edits it at the same time, they are vulnerable to a potential XSS attack...
The i18n in velocity templates does not auto html encode parameters
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-15548. panel All the getText methods on com.atlassian.confluence.util.i18n.DefaultI18NBean are anontated as HtmlSafe which means...
Email notifications for jiraissues macro reflect page owner permissions rather than permissions of notified user...
When a notification is sent out for a page that includes the \jiraissues\ macro, the list of issues is based on the page owner's permissions rather than the notified user's permissions. Here are the steps to reproduce: Set up the trust relationship between your JIRA and Confluence installs Create...
Forgot Password/Crowd Integration exception handling and regex improvements
If JIRA is integrated with Crowd, and Crowd has password restrictions e.g. regex, a user will receive a stack trace in JIRA if the new password does not meet Crowd's password requirements e.g. through the Forgot Password link in JIRA. noformat java.lang.IllegalArgumentException: Could not change...
Get 500 when trying to communicate to confluence via trusted apps.
Steps to reproduce. 1 Install confluence 2.9.2 and crucible 1.6.5 2 Setup trusted apps to crucible specify a "IP address Matches as 10.0.100.123 3 Install the confluence crucible plugin...