Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2009/10/21 1:33 a.m.25 views

Confluence users should inherit permissions from the anonymous user

This has been derived from CONF-4955|http://jira.atlassian.com/browse/CONF-4955. The above seems to have been fixed for registered groups only, not individual users who do not belong to any groups in Confluence, but have "Can Use" permission. If a user is a member of a specific group, the anonymo...

3.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/10/09 1:2 a.m.25 views

Links from indexbrowser.jsp are vulnerable to XSS attacks

CONF-16888 has introduced or re-introduced an XSS vulnerability. To reproduce: Create a new user, and for the Full Name use: noformatalert'Vulnerable'noformat Go to ../admin/indexbrowser.jsp and find the entry Click on the entry, and the script is executed. This also happens for other content typ...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/10/09 1:2 a.m.25 views

Links from indexbrowser.jsp are vulnerable to XSS attacks

CONF-16888 has introduced or re-introduced an XSS vulnerability. To reproduce: Create a new user, and for the Full Name use: noformatalert'Vulnerable'noformat Go to ../admin/indexbrowser.jsp and find the entry Click on the entry, and the script is executed. This also happens for other content typ...

0.5AI score
Exploits0
Atlassian
Atlassian
added 2009/06/18 1:45 p.m.25 views

Directory traversal in Profile Picture path - leads to privilege escalation in < 3.0

Confluence allows its users to specify a "Profile Picture," an image that appears on many pages related to the user. A user can either upload a custom image, or select one from a set provided by Confluence. Confluence uses the /users/doeditmyprofilepicture.action path to process requests to chang...

7.2AI score
Exploits0
Atlassian
Atlassian
added 2009/05/26 1:29 a.m.25 views

XSS in concurrent edit notification

If a page is being editted by noformat alert'hacked' noformat and another user edits it at the same time, they are vulnerable to a potential XSS attack...

2.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/05/07 2:13 a.m.25 views

The i18n in velocity templates does not auto html encode parameters

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-15548. panel All the getText methods on com.atlassian.confluence.util.i18n.DefaultI18NBean are anontated as HtmlSafe which means...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/09/15 4:25 p.m.25 views

XSS in RSS feed creation

URL http://localhost:8080/dashboard/doconfigurerssfeed.action The RSS feed creation process is vulnerable to XSS attacks. It is possible to inject javascript code into the page by changing the types field to: types="alertdocument.cookie complete example from the testenvironment:...

6.4AI score
Exploits0
Atlassian
Atlassian
added 2008/09/15 3:57 p.m.25 views

Privilege escalation: User is able to add a page to his watchlist without having the permission

Szenario: create user1 and user2 user1 has access to space1 user2 has access to space2 user1 can add a page to his watchlist by manipulating using a proxy like webscarab the postrequest to http://localhost:8080/dwr/exec/PageNotification.startWatching.dwr and replacing the id contained in paramete...

7AI score
Exploits0
Atlassian
Atlassian
added 2008/04/30 9:27 a.m.25 views

Manage Watchers shows users with no permission

We have just upgraded to Jira 3.12.2 and like the new functionality when adding watchers to an issue. There is one problem with this though. It is showing all users, including users with no permissions. This means that all employees that stopped working here will show in the drop down. We do not...

2.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/04/15 12:31 a.m.25 views

Users can move attachments to a space they have no permission for

Any user with permission to edit pages in a space can move attachments in that space to any page in Confluence. Eg: suppose we have a user named StandardUser who has permission to edit pages in GeneralSpace, but no permission to view or edit RestrictedSpace, which contains a page predictably name...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/11 5:24 a.m.25 views

XSS vulnerabilities in create/edit/copy page and blogpost actions

The following create/edit page URL's are vulnerable: - /pages/createpage.action - /pages/docreatepage.action - /pages/editpage.action - /pages/doeditepage.action on parentPageString, mode, labelsString, captchaId The following create/edit blogpost URL's are vulnerable: -...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/11 5:24 a.m.25 views

XSS vulnerabilities in create/edit/copy page and blogpost actions

The following create/edit page URL's are vulnerable: - /pages/createpage.action - /pages/docreatepage.action - /pages/editpage.action - /pages/doeditepage.action on parentPageString, mode, labelsString, captchaId The following create/edit blogpost URL's are vulnerable: -...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2008/02/25 6:5 a.m.25 views

Users with view permissions on a space are able to delete (purge) pages they don't have permission to edit/access

If a user has at least view permissions on a space they can purge any page in that space using the URL: /pages/purgetrashitem.action?key=&contentId= and the right contentId and space key. A purge can be performed even if the page has not been marked for deletion. This issue has been replicated an...

1.2AI score
Exploits0
Atlassian
Atlassian
added 2007/12/07 2:32 p.m.25 views

XSS vulnerability in recently updated and configure RSS feed actions

Our eSecurity team has identified a Cross Site Scripting issue with the confluence server as follows: Arbirtatry javascript can be injected in the following cases which can lead to escalated or invalid privileges being granted to an unauthorized user: 1...

0.7AI score
Exploits0
Atlassian
Atlassian
added 2007/10/16 1:27 a.m.25 views

DWR debug mode is enabled

This gives a potential attacker lots of information about available AJAX request handlers in Confluence...

4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/10/15 12:17 a.m.25 views

IssueLevelSecurity permission check does not work with a DocumentIssueImpl if no security level has been set.

We need to be able to handle per issue permission checks, if no issue security level has been set. The problem is that if no issue level security is set, -1 gets indexed. The permissions code however expects a null value...

1.6AI score
Exploits0
Atlassian
Atlassian
added 2007/09/25 8:45 p.m.25 views

Cross-site scripting vulnerability in /dashboard.action

The test successfully embedded a script in the response, which will be executed once the page is loaded in the user's browser. This means that the application is vulnerable to the Cross-Site Scripting attack. 1 of 3 Cross-Site Scripting in Parameter Name Severity: High Test Type: Application...

5.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/08/28 5:57 a.m.25 views

Unwanted Access to File System via Import Pages Functionality

security vulnerability found in Confluence 2.5.6 Space administrator can use the "Import Pages from Disk" feature to browse the server file system by pointing the importer at "/" folder or any other folder. Because this folder doesn't contain expected files, an error message is displayed,...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/02/20 11:13 p.m.25 views

Need ability to limit use of remote API to certain users, or a certain group

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-7913. panel The remote API presents opportunities for denial of service attack. For example: RemoveSpace for a space with many...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/02/18 10:28 p.m.25 views

Deleting user does not remove the user from a permission scheme

If a single user is added to a permission in a permission scheme, deleting this user will not remove him/her from the permission scheme. This results in stack traces in the logs such as: noformat 2007-02-14 14:10:57,882 WARN atlassian.jira.scheme.AbstractSchemeManager 'fred' is not a valid user...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/02/10 3:49 p.m.25 views

Logon with wrong user/password gives 'weird' errorpage.

Error screen after wrong login is 'weird'...

0.9AI score
Exploits0
Atlassian
Atlassian
added 2005/02/03 2:54 a.m.25 views

Obscure email addresses in Confluence Mail

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-2677. panel Just noticed that http://confluence.atlassian.com/spaces/viewmailarchive.action?key=DOC is showing my full email...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/09/17 9:37 a.m.25 views

MoveIssue does not keep the security issue level after the move.

MoveIssue does not keep the security issue level after the move...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2002/05/22 12:31 p.m.25 views

Problem when signing up for new user Account from login page

I signed up for a new user account from the login page, filled in a username, password, name and e-mail. Then I tried to login with the new username and got this exception: java.lang.NullPointerException at com.opensymphony.module.user.User.getGroupsUser.java:94 at...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/05/11 11:31 p.m.24 views

Directory Traversal vulnerability at plexus-utils dependency in Bamboo Data Center

This High severity File Inclusion vulnerability was introduced in versions 10.0.1, 10.1.0, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H allows an...

8.8CVSS6.2AI score0.00663EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.24 views

DoS (Denial of Service) in Jira Software Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 11.2.0 and 11.3.0 of Jira Software Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N allows an...

8.7CVSS5.7AI score0.00552EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.24 views

DoS (Denial of Service) in Jira Service Management Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 11.2.0 and 11.3.0 of Jira Service Management Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N allow...

8.7CVSS5.7AI score0.00552EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.24 views

Security Headers Omission in Jira Software Data Center

This is a vulnerability in a non-Atlassian Jira Software dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity Security Headers Omission vulnerability was introduced in versions 10.3.0 and 11.3.0 of Jira Software Data Center...

9.1CVSS7.2AI score0.0048EPSS
Exploits2
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.24 views

Improper Encoding org.apache.tomcat:tomcat-catalina Dependency in Jira Software Data Center

This High severity Improper Encoding vulnerability known as CVE-2026-34483 was introduced in version 11.3.0. This Improper Encoding or Escaping of Output vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an unauthenticated attacker to...

7.5CVSS5.8AI score0.00461EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/27 8:29 p.m.24 views

DoS (Denial of Service) in Bitbucket Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.0.1 and 10.0.0 of Bitbucket Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to...

7.5CVSS5.9AI score0.0043EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/16 10:12 p.m.24 views

RCE (Remote Code Execution) org.yaml:snakeyaml Dependency in Jira Software Data Center

This is a vulnerability in a non-Atlassian Jira dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity RCE Remote Code Execution vulnerability was introduced in versions 11.3.3 of Jira Software Data Center. This RCE Remote Code...

9.8CVSS6.5AI score0.99615EPSS
Exploits7
Atlassian
Atlassian
added 2026/04/14 10:29 p.m.24 views

MITM (Man-in-the-Middle) org.apache.tomcat:tomcat-coyote Dependency in Bamboo Data Center

This High severity MITM Man-in-the-Middle vulnerability was introduced in versions 10.0.0, 10.1.0, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This MITM Man-in-the-Middle vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N allows...

7.5CVSS5.8AI score0.00498EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/14 10:29 p.m.24 views

HTTP Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center

This High severity HTTP Request Smuggling vulnerability was introduced in version 9.6.0, 10.0.0, 10.1.1, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This HTTP Request Smuggling vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N...

7.5CVSS5.7AI score0.00453EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/14 10:29 p.m.24 views

Injection org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center

This High severity Injection vulnerability was introduced in version 9.6.0, 10.0.0, 10.1.1, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This Injection vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an unauthenticated...

7.5CVSS5.8AI score0.00461EPSS
Exploits0
Atlassian
Atlassian
added 2026/03/11 4:55 p.m.24 views

DoS (Denial of Service) Apache Struts Dependency in Bamboo Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, and 12.0.0 of Bamboo Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.1, allows an authenticated attacker to cause a resource to be...

7.5CVSS5.8AI score0.01456EPSS
Exploits0
Atlassian
Atlassian
added 2026/03/06 5:29 a.m.24 views

File Inclusion node-tar Dependency in Jira Software Data Center

This High severity File Inclusion vulnerability was introduced in versions 9.15.2, 9.16.0, 9.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.1 of Jira Software Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2 and a CVS...

8.2CVSS6AI score0.00541EPSS
Exploits1
Atlassian
Atlassian
added 2026/02/25 6:29 p.m.24 views

DoS (Denial of Service) com.nimbusds:nimbus-jose-jwt Dependency in Crucible Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in version 4.8.0, 4.9.0 of Crucible Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker...

7.5CVSS5.8AI score0.00814EPSS
Exploits0
Atlassian
Atlassian
added 2026/01/09 4:27 p.m.24 views

mXSS (mutation Cross-Site Scripting) dompurify Dependency in Jira Software Data Center and Server

This is a vulnerability in a non-Atlassian Jira dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity nesting-based mXSS mutation Cross-Site Scripting vulnerability was introduced in version 10.3.0 of Jira Software Data Center...

10CVSS5.8AI score0.01093EPSS
Exploits2
Atlassian
Atlassian
added 2025/10/15 4:47 a.m.24 views

Path Traversal (Arbitrary Write) in Jira Service Management Data Center and Server Data Center and Server

This High severity Path Traversal Arbitrary Write vulnerability was introduced in versions: 5.12.0 and 10.3.0 of Jira Service Management Data Center and Server. This Path Traversal Arbitrary Write vulnerability, with a CVSS Score of 8.7, allows an attacker to modify any filesystem path writable b...

8.7CVSS6.8AI score0.00428EPSS
Exploits1
Atlassian
Atlassian
added 2025/05/13 1:27 a.m.24 views

PrivEsc (Privilege Escalation) in Jira Service Management Data Center

This High severity PrivEsc Privilege Escalation vulnerability was introduced in versions 5.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Service Management Data Center. This PrivEsc Privilege Escalation vulnerability, with a CVSS Score of 7.2, allows an attacker to perform actions as a higher-privileg...

8.8CVSS7AI score0.00445EPSS
Exploits0
Atlassian
Atlassian
added 2024/12/12 1:37 p.m.24 views

SSRF (Server-Side Request Forgery) [email protected] (NPM) in Crowd Data Center

This High severity SSRF Server-Side Request Forgery and Third-Party Dependency vulnerability was introduced in versions 6.0.4 and 6.1.2 of Crowd Data Center. This SSRF Server-Side Request Forgery and Third-Party Dependency vulnerability, caused by Axios 1.6.8, with a CVSS Score of 8.6, allows an...

7.5CVSS6.8AI score0.01414EPSS
Exploits1
Atlassian
Atlassian
added 2024/11/05 7:11 p.m.24 views

DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Confluence Data Center and Server

This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 3.7 of Confluence Data Center and Server. This org.bouncycastle:bcprov-jdk18on Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:...

7.5CVSS7.2AI score0.00753EPSS
Exploits0
Atlassian
Atlassian
added 2024/08/15 8:11 p.m.24 views

DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Bamboo Data Center and Server

This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server. This org.bouncycastle:bcprov-jdk18on Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.6AI score0.011EPSS
Exploits0
Atlassian
Atlassian
added 2024/06/11 5:22 a.m.24 views

Confserver ticket aggregation

Support CONFSERVER ticket aggregation similar to https://hello.atlassian.net/wiki/spaces/JIRASERVER/pages/3002952256/Experiment+-+JSEC+aggregates...

7.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/09/11 5:51 a.m.24 views

QueryCompenentRenderer API returns project key

When an unauthenticated remote attacker accesses "/secure/QueryComponentRendererValue!Default.jspa?pid=10000", the project key is returned: code:java "project":"name":"Project","viewHtml":" \n \n Project:\n \n Project id=10,000 \n","editHtml":"\n","jql":"project =...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/06/28 12:13 p.m.24 views

Transition screen removed when project admin edits a transition

h3. Problem The relevant transition screen gets removed when a project admin without Jira Administrator global permission attempts to edit a transition. h3. Environment Jira h3. Steps to Reproduce Create a new project I used Scrum software development template Modify one of the transitions in the...

6.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/12/12 12:15 p.m.24 views

Mask Webhook secret Key

While configuring webhooks in bitbucket, we have the option to provide a secret key that is not masked, and hence the plain text secret key is visible in audit logs, kindly mask the secret key Steps to reproduce Configure webhook in Bitbucket server When the hook is created,modified we see the...

0.4AI score
Exploits0
Atlassian
Atlassian
added 2022/02/17 5:30 a.m.24 views

Source configuration information leakage in API response

Affected versions of Atlassian Jira Service Management Server and Data Center allow an unauthorised user to view source configuration information via information disclosure in the endpoint /rest/insight/1.0/progress/category/imports/. Affected versions: 4.19.0 Fixed versions: 4.20.6...

5AI score
Exploits0
Atlassian
Atlassian
added 2022/02/15 7:41 p.m.24 views

Leaked admin credentials via Insight object import

Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated users to see admin credentials via an information disclosure vulnerability in the \BaseUrl/rest/insight/1.0/import/module/test/rlabs-import-type-json?objectSchemaId= endpoint. The affected versions a...

4.4AI score
Exploits0
Atlassian
Atlassian
added 2021/08/25 3:58 p.m.24 views

Anonymous users can view list of installed gadgets in Confluence

h3. Issue Summary Endpoint "rest/config/1.0/directory" can be accessed anonymously. This page is an XML output that exposes the gadgets installed on the Confluence instance. While there are not be any identifying information, user data, or anything else available to anonymous users if they hit th...

0.8AI score
Exploits0
Total number of security vulnerabilities4295