4295 matches found
Arbitrary file creation in AbstractRendererExporterImpl
To reproduce: 1. Create a new space. 2. Create a new page. 3. Attach a file called test.txt to the page. 3. Edit the page, and add an image with the URL: code /confluence/s/download/attachments/pageid//../../../../../../../../../../../../tmp/test.txt code \pageid\ must be replaced with the actual...
'self' xss reported in a question's moderate
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47423. panel We have received an external report of a dom xss in the moderation code for a question on answers.atlassian.com...
Reflected XSS in 'where' param of doSearchSite
Olivier Beg reported quote noformathttps://confluence.atlassian.com/dosearchsite.action?queryString=%22%3E&startIndex=0&lastModified=LASTWEEK&where=confall%22%3E%3Cimg%20src=x%20onerror=alert1%3Enoformat I asume he is DOM based because he works in google chrome. quote This results in code:html co...
XSS Vulnerability in AAC - Atlassian ID Display Name is not HTML-encoded on user hover
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-46719. panel Raised from https://extranet.atlassian.com/jira/browse/INTSYS-23426...
Webwork 2 code injection vulnerability
We have discovered a vulnerability in WebWork 2, which is a part of the Struts web framework. In specific circumstances, attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. In case of Bamboo, the attacker needs to be able to access Bambo...
Reflected XSS in JIRA Admin Panel (Delete User)
The 'name' param in jira-components/jira-webapp/src/main/webapp/secure/admin/user/views/deleteuserconfirm.jsp is not sanitised, enabling arbitrary html/script execution. A url to demonstrate this issue is:...
JSON-RPC API functions available anonymously even though anonymous API access is disabled.
The summary says it all really. The functions listed below can be used on our confluence service even though we have Anonymous API Access disabled check box not checked in admin control panel. This is an issue when it comes to confluence sites that have sensitive user or group information...
Allow cookie-less instance for security reasons
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-29687. panel Allow administrators to completely remove 'remember me' and disallow remembering usernames and passwords via HTML5...
XSS in /secure/admin/TempoServicesAccess.jspa
allowedIPAccresses is passed unfiltered into the results page. Contents of the field persist through the "missing XSRF token" screen, so exploitation is trivial - just get your victim to click on the link without a token. noformat...
Security enhancement: do not allow POST parameters to be used in GETs
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-32076. panel My company's security team ran a vulnerability scan against our JIRA and found this issue. They advised me to bring it to your...
Default application configuration files are available for download
h3. Summary of The Bug By browsing to the following URL path user would be able to download any files under /atlassian-jira/WEB-INF/... code/s/1519/3/1.0//WEB-INF/...code The above URL will be accessible by any users including anonymous even to an instance that does not allow anonymous access h5...
Reflected xss in the jira-gadgets-plugin getLabelGroups rest resource
The jira-gadgets-plugin LabelsResource class exposes a getLabelGroups rest resource that is vulnerable to reflected xss through the user supplied 'project' path parameter. The vulnerability is caused by building an error response message with a content type of text/html and not html encoding the...
Reflected XSS in Create Issue Details page
The Create Issue Detail page is vulnerable to reflected XSS. 1. Login to https://$JIRA/ 2. Visit https://$JIRA/secure/CreateIssueDetails.jspa?reporter="alert'XSS'alert'XSS'p+name%3D"&pid=10000&issuetype=2...
SQL injection in DefaultReferralManager
In confluence-core/confluence/src/java/com/atlassian/confluence/links/DefaultReferralManager.java the DefaultReferralManager class the deleteReferrersWithPrefix method is vulnerable to sql injection through the user controlled 'prefix' parameter. It is possible to exploit this issue as an Admin...
Session-timeout not being respected
As per the following KB I made changes that should have seen timeout reduced to 2 minutes. https://confluence.atlassian.com/pages/viewpage.action?pageId=126910597 in /confluence/WEB-INF/web.xml code 2 code I can't force Confluence to have a session timeout. This issue has been reproduced on first...
Persistent XSS in the removepage.action page through the title of the parent page being deleted
The parent title of a confluence page is not html encoded when displayed in removepage.action this results in a persistent XSS vector. Steps to reproduce: 1. Add a page with a title of "" alert3; 2. from the Add menu select "Add page" so it is a child of the first page 3. save the new page child ...
Potential remote code execution due to embedding of old django-piston
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46819. panel The exposed atlassian api for forummodules found under forummodules/atlassian/api uses an outdated version of...
XSS vulnerability in Office Connector plugin
From: OFFCONN-81: Using "office excel"-macro as part of viewfile, which is part of office connector plugin seems to open up the possibility to get injected with XSS-code. Steps to reproduce: 1. Create an excel-file with following content in one cell: code '"alert'XSS' code 2. Attach this file to ...
The "user" Dark Features page is vulnerable to XSRF/csrf
The "User Dark Features" page located at $host/secure/ViewProfile.jspa?selectedTab=jira.user.profile.panels:up-darkfeatures-panel allows users to add dark features which only affect themselves. However, it is not protected against XSRF attacks. Note: the 'value' of dark features is not properly...
OauthApplinksServlet Open Redirect
The OauthApplinksServlet servlet has an open redirect vulnerability in the doGet that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated before redirec...
admin/dev/usermacros.jsp lacks an XSRF token to add and remove user macros from Confluence.
admin/dev/usermacros.jsp does not require a csrf token to add and remove user macros from Confluence. This could allow an attacker to introduce a malicious user macro with 'bad' html and or javascript into a confluence instance through a csrf attack on an admin user...
Bamboo XML Vulnerability
We have identified and fixed a vulnerability in Bamboo that results from the way third-party XML parsers are used in Bamboo. This vulnerability allows an attacker to: Execute denial of service attacks against the Bamboo server, and Read all local files readable to the system user under which Bamb...
Provide an abstract Seraph authenticator for SSO authenticators to subclass that reduces the plumbing code required to interact with Embedded Crowd
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-24358. panel This is currently the most comprehensive version I have so far compiled of the code a custom SSO authenticator for...
Better error message when viewing an embedded calendar as an unprivileged user
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-51101. panel On our site's dashboard I have a calendar macro defined as:...
Members of confluence-administrators group can browse to restricted pages
Expected behaviour is that a Confluence admin can view a page restricted to others by hitting the URL directly to help resolve any permission issues. In 3.5.x the admins can also browse to these pages via Browse Pages...
Cross-Site Request Forgery
Cross-Site Request Forgery Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to Cross-Site Request Forgery attacks within this URL: /jira/plugins/servlet/streamscomments This vulnerability enables...
XSRF token broken when you edit an Issue Type Scheme
If you click the Edit link beside the currently selected Issue Type Scheme on a Project Summary page and then click Save on the next screen you get an XSRF token missing error...
XSS vulnerability in space key, particularly with decorators off
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-20865. panel As discovered while looking at CONF-20667, Confluence stores the space key unencoded in a content tag. Considerable...
XSS in page renderer
An XSS vulnerability has been identified in the page renderer. This issue provides a fix for this problem. The severity of this issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for other security related issues as well as more information on how we rate issues...
Put a new security log into JIRA so that important events can be specifically logged
The idea is to have a specific atlassian-jira-security.log that contains important events such as user logged in, logged out, session created and so on. This would allow for more specific information about how is logged into JIRA and when. This has been mooted for a while and is now being done in...
Mail support request accepts any e-mail address
The SupportUtility allows the user to enter an arbitrary e-mail address to send a copy of the e-mail to. This issue removes the option for users to enter an e-mail address to CC. This issue also introduces a flag that prevents the TO address from being changed through the web interface. By defaul...
XSS Bookmark vulnerabilities
The Add bookmark page is vulnerable to XSS attacks...
The current CAPTCHA implementation may not be secure
The current CAPTCHA implementation displays a different message if the CAPTCHA is being displayed and the captcha is entered correctly but the password for the user is not, than if the CAPTCHA is entered incorrectly. This is giving away more information than a login screen should. The error messa...
Signing in with username with different case creates new user
We currently utilize LDAP for our user repository and allow users to be automatically added to crucible if they can successfully authenticate. We have recently received complaints from users that their names were showing up two times in reviews. After some analysis we saw that there were 2...
xss vulnerability in issuelinksmall.jsp
Thanks to NASA / JPL for discovering this: Cross-Site Scripting XSS related to http://oursite/jira/includes/snippets/issuelinksmall.jsp?%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E=has...
autocomplete box in page restrictions finds deleted users, wrong usernames
We recently migrated our user management from JIRA to Crowd, our Confluence instance used to link to JIRA for authentication, and now links to Crowd. We now found that, when editing the restrictions on individual pages, the autocomplete feature in that dialog acts strange: Users that have been...
Confluence users should inherit permissions from the anonymous user
This has been derived from CONF-4955|http://jira.atlassian.com/browse/CONF-4955. The above seems to have been fixed for registered groups only, not individual users who do not belong to any groups in Confluence, but have "Can Use" permission. If a user is a member of a specific group, the anonymo...
Links from indexbrowser.jsp are vulnerable to XSS attacks
CONF-16888 has introduced or re-introduced an XSS vulnerability. To reproduce: Create a new user, and for the Full Name use: noformatalert'Vulnerable'noformat Go to ../admin/indexbrowser.jsp and find the entry Click on the entry, and the script is executed. This also happens for other content typ...
Links from indexbrowser.jsp are vulnerable to XSS attacks
CONF-16888 has introduced or re-introduced an XSS vulnerability. To reproduce: Create a new user, and for the Full Name use: noformatalert'Vulnerable'noformat Go to ../admin/indexbrowser.jsp and find the entry Click on the entry, and the script is executed. This also happens for other content typ...
Directory traversal in Profile Picture path - leads to privilege escalation in < 3.0
Confluence allows its users to specify a "Profile Picture," an image that appears on many pages related to the user. A user can either upload a custom image, or select one from a set provided by Confluence. Confluence uses the /users/doeditmyprofilepicture.action path to process requests to chang...
XSS in concurrent edit notification
If a page is being editted by noformat alert'hacked' noformat and another user edits it at the same time, they are vulnerable to a potential XSS attack...
The i18n in velocity templates does not auto html encode parameters
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-15548. panel All the getText methods on com.atlassian.confluence.util.i18n.DefaultI18NBean are anontated as HtmlSafe which means...
Email notifications for jiraissues macro reflect page owner permissions rather than permissions of notified user...
When a notification is sent out for a page that includes the \jiraissues\ macro, the list of issues is based on the page owner's permissions rather than the notified user's permissions. Here are the steps to reproduce: Set up the trust relationship between your JIRA and Confluence installs Create...
Session must not be invalidated on logout
People ran into problems|http://forums.atlassian.com/thread.jspa?forumID=101&threadID=29965 because we started invalidating the session on logout in 2.9.2. They expect certain session attributes like the seraph LOGGEDOUTKEY to be present. This means we need to remove all session attributes except...
XSS in bookmarks plugin
The bookmarking code under the url http://localhost:8080/plugins/socialbookmarking/updatebookmark.action is vulnerable to XSS attacks using the spaceKey parameter: submitting the following code will execute javascript: spaceKey=%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3E%22%3E IMPORTANT:...
Privilege escalation: User is able to add a page to his watchlist without having the permission
Szenario: create user1 and user2 user1 has access to space1 user2 has access to space2 user1 can add a page to his watchlist by manipulating using a proxy like webscarab the postrequest to http://localhost:8080/dwr/exec/PageNotification.startWatching.dwr and replacing the id contained in paramete...
Pages that inherit page restrictions are not respecting those restrictions after upgrade to Confluence 2.9
Tested and verified in both customer enviornment and in test enviornment. In the event that you have a parent page restriction and a child page that inherits that restriction, upon upgrade, 2.9 will only respect the explicit parent permission in terms of security trims and actual access but not...
Manage Watchers shows users with no permission
We have just upgraded to Jira 3.12.2 and like the new functionality when adding watchers to an issue. There is one problem with this though. It is showing all users, including users with no permissions. This means that all employees that stopped working here will show in the drop down. We do not...
Users can move attachments to a space they have no permission for
Any user with permission to edit pages in a space can move attachments in that space to any page in Confluence. Eg: suppose we have a user named StandardUser who has permission to edit pages in GeneralSpace, but no permission to view or edit RestrictedSpace, which contains a page predictably name...
XSS vulnerabilities in create/edit/copy page and blogpost actions
The following create/edit page URL's are vulnerable: - /pages/createpage.action - /pages/docreatepage.action - /pages/editpage.action - /pages/doeditepage.action on parentPageString, mode, labelsString, captchaId The following create/edit blogpost URL's are vulnerable: -...