Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2008/03/11 5:24 a.m.25 views

XSS vulnerabilities in create/edit/copy page and blogpost actions

The following create/edit page URL's are vulnerable: - /pages/createpage.action - /pages/docreatepage.action - /pages/editpage.action - /pages/doeditepage.action on parentPageString, mode, labelsString, captchaId The following create/edit blogpost URL's are vulnerable: -...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2008/02/25 6:5 a.m.25 views

Users with view permissions on a space are able to delete (purge) pages they don't have permission to edit/access

If a user has at least view permissions on a space they can purge any page in that space using the URL: /pages/purgetrashitem.action?key=&contentId= and the right contentId and space key. A purge can be performed even if the page has not been marked for deletion. This issue has been replicated an...

1.2AI score
Exploits0
Atlassian
Atlassian
added 2007/12/07 2:32 p.m.25 views

XSS vulnerability in recently updated and configure RSS feed actions

Our eSecurity team has identified a Cross Site Scripting issue with the confluence server as follows: Arbirtatry javascript can be injected in the following cases which can lead to escalated or invalid privileges being granted to an unauthorized user: 1...

0.7AI score
Exploits0
Atlassian
Atlassian
added 2007/10/24 6:4 a.m.25 views

Issues not shown in issue navigator that a user has permission for according to the issue security level

Users may not be able to see certain issues in the IssueNavigator, if they create an issue level security, where the permission depends on a user custom field where the customfield does not have a searcher set. Browsing the issue directly, works fine, however when running a search the issue wont ...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/10/16 1:27 a.m.25 views

DWR debug mode is enabled

This gives a potential attacker lots of information about available AJAX request handlers in Confluence...

4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/10/15 12:17 a.m.25 views

IssueLevelSecurity permission check does not work with a DocumentIssueImpl if no security level has been set.

We need to be able to handle per issue permission checks, if no issue security level has been set. The problem is that if no issue level security is set, -1 gets indexed. The permissions code however expects a null value...

1.6AI score
Exploits0
Atlassian
Atlassian
added 2005/02/10 3:49 p.m.25 views

Logon with wrong user/password gives 'weird' errorpage.

Error screen after wrong login is 'weird'...

0.9AI score
Exploits0
Atlassian
Atlassian
added 2005/02/03 2:54 a.m.25 views

Obscure email addresses in Confluence Mail

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-2677. panel Just noticed that http://confluence.atlassian.com/spaces/viewmailarchive.action?key=DOC is showing my full email...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/09/17 9:37 a.m.25 views

MoveIssue does not keep the security issue level after the move.

MoveIssue does not keep the security issue level after the move...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2002/05/22 12:31 p.m.25 views

Problem when signing up for new user Account from login page

I signed up for a new user account from the login page, filled in a username, password, name and e-mail. Then I tried to login with the new username and got this exception: java.lang.NullPointerException at com.opensymphony.module.user.User.getGroupsUser.java:94 at...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/05/11 11:31 p.m.24 views

Directory Traversal vulnerability at plexus-utils dependency in Bamboo Data Center

This High severity File Inclusion vulnerability was introduced in versions 10.0.1, 10.1.0, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H allows an...

8.8CVSS6.2AI score0.00663EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.24 views

DoS (Denial of Service) in Jira Software Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 11.2.0 and 11.3.0 of Jira Software Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N allows an...

8.7CVSS5.7AI score0.00552EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.24 views

DoS (Denial of Service) in Jira Service Management Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 11.2.0 and 11.3.0 of Jira Service Management Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N allow...

8.7CVSS5.7AI score0.00552EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.24 views

Security Headers Omission in Jira Software Data Center

This is a vulnerability in a non-Atlassian Jira Software dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity Security Headers Omission vulnerability was introduced in versions 10.3.0 and 11.3.0 of Jira Software Data Center...

9.1CVSS7.2AI score0.0048EPSS
Exploits2
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.24 views

Improper Encoding org.apache.tomcat:tomcat-catalina Dependency in Jira Software Data Center

This High severity Improper Encoding vulnerability known as CVE-2026-34483 was introduced in version 11.3.0. This Improper Encoding or Escaping of Output vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an unauthenticated attacker to...

7.5CVSS5.8AI score0.00461EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/27 8:29 p.m.24 views

DoS (Denial of Service) in Bitbucket Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.0.1 and 10.0.0 of Bitbucket Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to...

7.5CVSS5.9AI score0.0043EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/16 10:12 p.m.24 views

RCE (Remote Code Execution) org.yaml:snakeyaml Dependency in Jira Software Data Center

This is a vulnerability in a non-Atlassian Jira dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity RCE Remote Code Execution vulnerability was introduced in versions 11.3.3 of Jira Software Data Center. This RCE Remote Code...

9.8CVSS6.5AI score0.99615EPSS
Exploits7
Atlassian
Atlassian
added 2026/04/14 10:29 p.m.24 views

MITM (Man-in-the-Middle) org.apache.tomcat:tomcat-coyote Dependency in Bamboo Data Center

This High severity MITM Man-in-the-Middle vulnerability was introduced in versions 10.0.0, 10.1.0, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This MITM Man-in-the-Middle vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N allows...

7.5CVSS5.8AI score0.00498EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/14 10:29 p.m.24 views

HTTP Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center

This High severity HTTP Request Smuggling vulnerability was introduced in version 9.6.0, 10.0.0, 10.1.1, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This HTTP Request Smuggling vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N...

7.5CVSS5.7AI score0.00453EPSS
Exploits0
Atlassian
Atlassian
added 2026/03/06 5:29 a.m.24 views

File Inclusion node-tar Dependency in Jira Software Data Center

This High severity File Inclusion vulnerability was introduced in versions 9.15.2, 9.16.0, 9.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.1 of Jira Software Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2 and a CVS...

8.2CVSS6AI score0.00541EPSS
Exploits1
Atlassian
Atlassian
added 2025/10/15 4:47 a.m.24 views

Path Traversal (Arbitrary Write) in Jira Service Management Data Center and Server Data Center and Server

This High severity Path Traversal Arbitrary Write vulnerability was introduced in versions: 5.12.0 and 10.3.0 of Jira Service Management Data Center and Server. This Path Traversal Arbitrary Write vulnerability, with a CVSS Score of 8.7, allows an attacker to modify any filesystem path writable b...

8.7CVSS6.8AI score0.00428EPSS
Exploits1
Atlassian
Atlassian
added 2025/02/01 7:12 a.m.24 views

DoS (Denial of Service) com.thoughtworks.xstream:xstream Dependency in Bamboo Data Center and Server

This High severity com.thoughtworks.xstream:xstream Dependency vulnerability was introduced in versions 9.1.0, 9.2.1, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 10.0.0-rc5, 10.1.0, and 10.2.0 of Bamboo Data Center and Server. This com.thoughtworks.xstream:xstream Dependency vulnerability, with a CVSS Score of 7...

7.5CVSS7.6AI score0.02015EPSS
Exploits0
Atlassian
Atlassian
added 2024/11/22 1:6 a.m.24 views

com.amazonaws:aws-java-sdk-s3 Dependency in Bamboo Data Center and Server

This High severity com.amazonaws:aws-java-sdk-s3 Dependency vulnerability was introduced in versions 9.0.0, 9.1.0, and 9.2.1 of Bamboo Data Center and Server. This com.amazonaws:aws-java-sdk-s3 Dependency vulnerability, with a CVSS Score of 7.9 and a CVSS Vector of...

7.9CVSS6.3AI score0.01193EPSS
Exploits1
Atlassian
Atlassian
added 2024/11/09 5:10 a.m.24 views

DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Bitbucket Data Center and Server

This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 8.9.5, 8.10.5, 8.11.4, 8.12.2, 8.13.1, 8.14.0-eap01, 8.15.0, 8.16.0, 8.17.0, 8.18.0, and 8.19.0 of Bitbucket Data Center and Server. This org.bouncycastle:bcprov-jdk18on Dependency vulnerability...

7.5CVSS7.3AI score0.00753EPSS
Exploits0
Atlassian
Atlassian
added 2024/10/21 12:15 p.m.24 views

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency in Crowd Data Center and Server

This High severity org.apache.tomcat:tomcat-coyote Dependency vulnerability was introduced in versions 5.1.0, 5.2.0, 5.3.0, and 6.0.0 of Crowd Data Center and Server. This org.apache.tomcat:tomcat-coyote Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS7.2AI score0.04602EPSS
Exploits0
Atlassian
Atlassian
added 2024/01/26 6:50 a.m.24 views

Confluence's create-content operation takes up to 20 minutes to completely render the Create dialog

h3. Issue Summary Confluence's create-content operation clicking the "..." button next to the Create button at the top left results in a create-dialog window that can take up to 20 minutes to fully render. This is reproducible on Data Center: yes h3. Steps to Reproduce On an affected version of...

7AI score
Exploits0
Atlassian
Atlassian
added 2023/09/11 5:51 a.m.24 views

QueryCompenentRenderer API returns project key

When an unauthenticated remote attacker accesses "/secure/QueryComponentRendererValue!Default.jspa?pid=10000", the project key is returned: code:java "project":"name":"Project","viewHtml":" \n \n Project:\n \n Project id=10,000 \n","editHtml":"\n","jql":"project =...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/06/28 12:13 p.m.24 views

Transition screen removed when project admin edits a transition

h3. Problem The relevant transition screen gets removed when a project admin without Jira Administrator global permission attempts to edit a transition. h3. Environment Jira h3. Steps to Reproduce Create a new project I used Scrum software development template Modify one of the transitions in the...

6.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/12/12 12:15 p.m.24 views

Mask Webhook secret Key

While configuring webhooks in bitbucket, we have the option to provide a secret key that is not masked, and hence the plain text secret key is visible in audit logs, kindly mask the secret key Steps to reproduce Configure webhook in Bitbucket server When the hook is created,modified we see the...

0.4AI score
Exploits0
Atlassian
Atlassian
added 2022/02/17 5:30 a.m.24 views

Source configuration information leakage in API response

Affected versions of Atlassian Jira Service Management Server and Data Center allow an unauthorised user to view source configuration information via information disclosure in the endpoint /rest/insight/1.0/progress/category/imports/. Affected versions: 4.19.0 Fixed versions: 4.20.6...

5AI score
Exploits0
Atlassian
Atlassian
added 2022/02/15 7:41 p.m.24 views

Leaked admin credentials via Insight object import

Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated users to see admin credentials via an information disclosure vulnerability in the \BaseUrl/rest/insight/1.0/import/module/test/rlabs-import-type-json?objectSchemaId= endpoint. The affected versions a...

4.4AI score
Exploits0
Atlassian
Atlassian
added 2021/08/25 3:58 p.m.24 views

Anonymous users can view list of installed gadgets in Confluence

h3. Issue Summary Endpoint "rest/config/1.0/directory" can be accessed anonymously. This page is an XML output that exposes the gadgets installed on the Confluence instance. While there are not be any identifying information, user data, or anything else available to anonymous users if they hit th...

0.8AI score
Exploits0
Atlassian
Atlassian
added 2021/07/08 1:49 a.m.24 views

An admin can downgrade or remove a group with sys admin privilege

This vulnerability affects certain versions of Atlassian Dev Tools. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent...

5.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/06/21 11:34 a.m.24 views

Attachments gets downloaded on Chromium based browsers even after user logs out from Confluence

h3. Issue Summary Attachments gets downloaded on Chromium based browsers even after user logs out from the page h3. Steps to Reproduce Create a new page in Confluence Attach any PDF or picture or any file in that page and then publish the page Copy the image link by right clicking on the image as...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/04/12 10:9 p.m.24 views

XSS via parameter pollution

Jira Service Management Server and Data Center allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability caused by parameter pollution. Affected versions: version 4.5.13 4.13.0 ≤ version 4.13.5 4.15.0 ≤ version 4.15.1 Fixed versions: 4.5.13 4.13.5...

5.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/03/24 1:37 p.m.24 views

Cross Site Scripting vulnerability allows injecting HTML code into table edits

h3. Issue Summary Cross Site Scripting vulnerability allows injecting HTML code into table edits h3. Steps to Reproduce Edit a page Then access the Insert macro 'Info' option. A new window will open, in which the Preview option must be selected. With the help of an intermediate proxy such as burp...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/06/18 2:26 p.m.24 views

Comment button visible to users without permission on boards

h3. Issue Summary When a project's permissions are set to allow viewing by any logged in user, but commenting is limited to specific project roles, if a user attempts to comment from a board, the button is available to them and they see the following error message: panel:bgColor=eeeeee...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/09/26 4:13 p.m.24 views

Improper Authorization in Fisheye & Crucible through ATST Plugin - CVE-2019-15005

The Atlassian Troubleshooting and Support Tools ATST plugin prior to version 1.17.2 which was used in Fisheye & Crucible before version 4.7.2, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. Th...

4.3CVSS3.5AI score0.01334EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/09/09 3:12 p.m.24 views

General user Agent Status page reveals also details of builds for users that do not have View permission

h3. Issue Summary h3. Environment This issue is approved to happen for Bamboo version 6.9.1, likely it happens for all Bamboo versions. h3. Steps to Reproduce Define a non-Admin user a Bamboo admin already should exist via installation Provide global, project and plan permissions to this user,...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/03/21 12:52 a.m.24 views

The version of moment.js used in Jira Service Desk was vulnerable to a regular expression denial of service

The version of moment.js used in Jira Service Desk Server before version 4.0.0 allows remote attackers to cause a denial of service in user's browsers via a regular expression denial of service. For additional details...

4.5AI score
Exploits0
Atlassian
Atlassian
added 2018/09/21 10:27 a.m.24 views

Deprecate support for authenticating using os_username, os_password as url query parameters

h4. Problem Support for using osusername and ospassword to authenticate when used as url query parameters has been deprecated in Jira 8.0.0. It is possible to disable support for osusername & ospassword as url query parameters for authentication by setting allowUrlParameterValue to false in...

3.7AI score
Exploits0
Atlassian
Atlassian
added 2018/06/22 2:31 p.m.24 views

SSRF via REST API /plugins/servlet/gadgets/makeRequest

Confluence installations have permissive whitelist that allows to fetch any URL using confluence like as the proxy. Use GET request GET /plugins/servlet/gadgets/makeRequest?url= Example: to get Yandex start page or any resource you want. code:java GET...

0.3AI score
Exploits0
Atlassian
Atlassian
added 2017/03/13 4:15 a.m.24 views

Restricted Work Log entries show in the Activity Stream for JIRA Cloud

h3. Summary When using a group comment visibility on worklogs the restriction is not applied in the Activity Stream. h3. Steps to Reproduce Set up a test user JIRA Users. Enable comment visibility to support groups as per Configuring JIRA...

2.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/19 9:29 a.m.24 views

XSS attack possible on FishEye file history page

The File History page was vulnerable to XSS...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/18 5:46 p.m.24 views

Generating SSH Keys is broken (using Bitbucket Server) -- ui and config file

Please watch my short video illustrating the experience. https://www.youtube.com/watch?v=wPUAkG78BFE&feature=youtu.be Scenario 1: On MacOS X Sierra when setting up SourceTree for first time and choosing "SSH" as the authentication method, SourceTree: Should not have a URL for the Bitbucket...

7.5AI score
Exploits0
Atlassian
Atlassian
added 2017/01/05 2:52 p.m.24 views

Generating SSH Keys is broken (using Bitbucket Server) -- ui and config file

Please watch my short video illustrating the experience. https://www.youtube.com/watch?v=wPUAkG78BFE&feature=youtu.be Scenario 1: On MacOS X Sierra when setting up SourceTree for first time and choosing "SSH" as the authentication method, SourceTree: Should not have a URL for the Bitbucket...

7.5AI score
Exploits0
Atlassian
Atlassian
added 2016/12/12 11:54 p.m.24 views

Permission issue when configuring Default Reviewers

Certain permissions relating to Default Reviewers could be circumvented by authenticated users...

3.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/10/25 7:44 a.m.24 views

XSRF Security Token Missing when clicking on Contact an administrator

h3. Summary Clicking on the "Contact an administrator to perform this action." results in XSRF Security Token Missing. Tested with : Chrome Version 54.0.2840.59 64-bit Firefox 49.0 h3. Steps to Reproduce Configure Outgoing Mail Enable Contact Administrators Form from General Configurations Create...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/10/11 1:45 p.m.24 views

Empty REST API result return for User without Browse Users permission

h3. Summary User A who do not have permission to Browse Users but have Administrator and/or System Administrator will have REST API result return empty. As an example of the json data return: code:borderStyle=dashed code h3. Steps to Reproduce Create User A Gives User A permission to Administrato...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/02/09 10:50 a.m.24 views

XSS vulnerability found in profile settings

There was a XSS vulnerability found in profile settings pages...

1.6AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295