Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2011/08/09 7:49 a.m.25 views

Members of confluence-administrators group can browse to restricted pages

Expected behaviour is that a Confluence admin can view a page restricted to others by hitting the URL directly to help resolve any permission issues. In 3.5.x the admins can also browse to these pages via Browse Pages...

3.7AI score
Exploits0
Atlassian
Atlassian
added 2011/05/30 7:4 p.m.25 views

Cross-Site Request Forgery

Cross-Site Request Forgery Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to Cross-Site Request Forgery attacks within this URL: /jira/plugins/servlet/streamscomments This vulnerability enables...

7.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/03/14 5:44 a.m.25 views

XSRF token broken when you edit an Issue Type Scheme

If you click the Edit link beside the currently selected Issue Type Scheme on a Project Summary page and then click Save on the next screen you get an XSRF token missing error...

0.9AI score
Exploits0
Atlassian
Atlassian
added 2010/10/26 2:11 a.m.25 views

Intermittent Session Lost During Add/Edit Page in Firefox

We customized Seraph to integrate with our SSO Server. Seraph will perform session validation through cookies. When using firefox, we found that in 1 out of 5 to 8 times when we edit a page or add a new page, we will lose our session and be directed back to the login page. This does not happen in...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/09/23 1:6 a.m.25 views

XSS vulnerability in space key, particularly with decorators off

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-20865. panel As discovered while looking at CONF-20667, Confluence stores the space key unencoded in a content tag. Considerable...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/05/20 3:2 a.m.25 views

Password strength measurement and restriction

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-21358. panel Enable password strength rules to tell the user the effective strength of the password they choose optionally allow...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/27 4:58 a.m.25 views

XSS in page renderer

An XSS vulnerability has been identified in the page renderer. This issue provides a fix for this problem. The severity of this issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for other security related issues as well as more information on how we rate issues...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/27 1:3 a.m.25 views

Put a new security log into JIRA so that important events can be specifically logged

The idea is to have a specific atlassian-jira-security.log that contains important events such as user logged in, logged out, session created and so on. This would allow for more specific information about how is logged into JIRA and when. This has been mooted for a while and is now being done in...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/22 12:59 a.m.25 views

Possible XSS injection in attachment upload

A XSS vulnerability has been identified in attachment upload. The severity of this issue has been rated HIGH. Please refer to the security advisory at http://confluence.atlassian.com/x/ZILmD for information on how we rate issues...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/22 12:36 a.m.25 views

XSS Bookmark vulnerabilities

The Add bookmark page is vulnerable to XSS attacks...

1.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/18 1:44 a.m.25 views

The current CAPTCHA implementation may not be secure

The current CAPTCHA implementation displays a different message if the CAPTCHA is being displayed and the captcha is entered correctly but the password for the user is not, than if the CAPTCHA is entered incorrectly. This is giving away more information than a login screen should. The error messa...

0.5AI score
Exploits0
Atlassian
Atlassian
added 2010/04/08 8:10 p.m.25 views

Signing in with username with different case creates new user

We currently utilize LDAP for our user repository and allow users to be automatically added to crucible if they can successfully authenticate. We have recently received complaints from users that their names were showing up two times in reviews. After some analysis we saw that there were 2...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/03/16 5:57 a.m.25 views

xss vulnerability in issuelinksmall.jsp

Thanks to NASA / JPL for discovering this: Cross-Site Scripting XSS related to http://oursite/jira/includes/snippets/issuelinksmall.jsp?%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E=has...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/01/20 6:41 p.m.25 views

autocomplete box in page restrictions finds deleted users, wrong usernames

We recently migrated our user management from JIRA to Crowd, our Confluence instance used to link to JIRA for authentication, and now links to Crowd. We now found that, when editing the restrictions on individual pages, the autocomplete feature in that dialog acts strange: Users that have been...

0.7AI score
Exploits0
Atlassian
Atlassian
added 2009/12/24 10:24 a.m.25 views

SSL for login page only does not work in Confluence 3.1

URL rewrite does not work for Confluence 3.1. We follow the documentation: http://confluence.atlassian.com/pages/viewpage.action?pageId=158106208 This works only in Confluence 2.10 but not 3.1...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/10/21 1:33 a.m.25 views

Confluence users should inherit permissions from the anonymous user

This has been derived from CONF-4955|http://jira.atlassian.com/browse/CONF-4955. The above seems to have been fixed for registered groups only, not individual users who do not belong to any groups in Confluence, but have "Can Use" permission. If a user is a member of a specific group, the anonymo...

3.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/10/09 1:2 a.m.25 views

Links from indexbrowser.jsp are vulnerable to XSS attacks

CONF-16888 has introduced or re-introduced an XSS vulnerability. To reproduce: Create a new user, and for the Full Name use: noformatalert'Vulnerable'noformat Go to ../admin/indexbrowser.jsp and find the entry Click on the entry, and the script is executed. This also happens for other content typ...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/10/09 1:2 a.m.25 views

Links from indexbrowser.jsp are vulnerable to XSS attacks

CONF-16888 has introduced or re-introduced an XSS vulnerability. To reproduce: Create a new user, and for the Full Name use: noformatalert'Vulnerable'noformat Go to ../admin/indexbrowser.jsp and find the entry Click on the entry, and the script is executed. This also happens for other content typ...

0.5AI score
Exploits0
Atlassian
Atlassian
added 2009/06/18 1:45 p.m.25 views

Directory traversal in Profile Picture path - leads to privilege escalation in < 3.0

Confluence allows its users to specify a "Profile Picture," an image that appears on many pages related to the user. A user can either upload a custom image, or select one from a set provided by Confluence. Confluence uses the /users/doeditmyprofilepicture.action path to process requests to chang...

7.2AI score
Exploits0
Atlassian
Atlassian
added 2009/05/26 1:29 a.m.25 views

XSS in concurrent edit notification

If a page is being editted by noformat alert'hacked' noformat and another user edits it at the same time, they are vulnerable to a potential XSS attack...

2.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/05/15 10:52 a.m.25 views

Encrypted passwords in osuser.xml

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-17317. panel We need to set a crypted password instead plain text password in java.naming.security.credentials within osuser.xml...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/05/07 2:13 a.m.25 views

The i18n in velocity templates does not auto html encode parameters

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-15548. panel All the getText methods on com.atlassian.confluence.util.i18n.DefaultI18NBean are anontated as HtmlSafe which means...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/09/15 4:25 p.m.25 views

XSS in RSS feed creation

URL http://localhost:8080/dashboard/doconfigurerssfeed.action The RSS feed creation process is vulnerable to XSS attacks. It is possible to inject javascript code into the page by changing the types field to: types="alertdocument.cookie complete example from the testenvironment:...

6.4AI score
Exploits0
Atlassian
Atlassian
added 2008/09/15 3:57 p.m.25 views

Privilege escalation: User is able to add a page to his watchlist without having the permission

Szenario: create user1 and user2 user1 has access to space1 user2 has access to space2 user1 can add a page to his watchlist by manipulating using a proxy like webscarab the postrequest to http://localhost:8080/dwr/exec/PageNotification.startWatching.dwr and replacing the id contained in paramete...

7AI score
Exploits0
Atlassian
Atlassian
added 2008/04/15 12:31 a.m.25 views

Users can move attachments to a space they have no permission for

Any user with permission to edit pages in a space can move attachments in that space to any page in Confluence. Eg: suppose we have a user named StandardUser who has permission to edit pages in GeneralSpace, but no permission to view or edit RestrictedSpace, which contains a page predictably name...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/11 5:24 a.m.25 views

XSS vulnerabilities in create/edit/copy page and blogpost actions

The following create/edit page URL's are vulnerable: - /pages/createpage.action - /pages/docreatepage.action - /pages/editpage.action - /pages/doeditepage.action on parentPageString, mode, labelsString, captchaId The following create/edit blogpost URL's are vulnerable: -...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/11 5:24 a.m.25 views

XSS vulnerabilities in create/edit/copy page and blogpost actions

The following create/edit page URL's are vulnerable: - /pages/createpage.action - /pages/docreatepage.action - /pages/editpage.action - /pages/doeditepage.action on parentPageString, mode, labelsString, captchaId The following create/edit blogpost URL's are vulnerable: -...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2008/02/25 6:5 a.m.25 views

Users with view permissions on a space are able to delete (purge) pages they don't have permission to edit/access

If a user has at least view permissions on a space they can purge any page in that space using the URL: /pages/purgetrashitem.action?key=&contentId= and the right contentId and space key. A purge can be performed even if the page has not been marked for deletion. This issue has been replicated an...

1.2AI score
Exploits0
Atlassian
Atlassian
added 2007/12/07 2:32 p.m.25 views

XSS vulnerability in recently updated and configure RSS feed actions

Our eSecurity team has identified a Cross Site Scripting issue with the confluence server as follows: Arbirtatry javascript can be injected in the following cases which can lead to escalated or invalid privileges being granted to an unauthorized user: 1...

0.7AI score
Exploits0
Atlassian
Atlassian
added 2007/10/16 1:27 a.m.25 views

DWR debug mode is enabled

This gives a potential attacker lots of information about available AJAX request handlers in Confluence...

4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/10/15 12:17 a.m.25 views

IssueLevelSecurity permission check does not work with a DocumentIssueImpl if no security level has been set.

We need to be able to handle per issue permission checks, if no issue security level has been set. The problem is that if no issue level security is set, -1 gets indexed. The permissions code however expects a null value...

1.6AI score
Exploits0
Atlassian
Atlassian
added 2007/09/25 8:45 p.m.25 views

Cross-site scripting vulnerability in /dashboard.action

The test successfully embedded a script in the response, which will be executed once the page is loaded in the user's browser. This means that the application is vulnerable to the Cross-Site Scripting attack. 1 of 3 Cross-Site Scripting in Parameter Name Severity: High Test Type: Application...

5.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/08/28 5:57 a.m.25 views

Unwanted Access to File System via Import Pages Functionality

security vulnerability found in Confluence 2.5.6 Space administrator can use the "Import Pages from Disk" feature to browse the server file system by pointing the importer at "/" folder or any other folder. Because this folder doesn't contain expected files, an error message is displayed,...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/02/20 11:13 p.m.25 views

Need ability to limit use of remote API to certain users, or a certain group

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-7913. panel The remote API presents opportunities for denial of service attack. For example: RemoveSpace for a space with many...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/02/18 10:28 p.m.25 views

Deleting user does not remove the user from a permission scheme

If a single user is added to a permission in a permission scheme, deleting this user will not remove him/her from the permission scheme. This results in stack traces in the logs such as: noformat 2007-02-14 14:10:57,882 WARN atlassian.jira.scheme.AbstractSchemeManager 'fred' is not a valid user...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/02/10 3:49 p.m.25 views

Logon with wrong user/password gives 'weird' errorpage.

Error screen after wrong login is 'weird'...

0.9AI score
Exploits0
Atlassian
Atlassian
added 2005/02/03 2:54 a.m.25 views

Obscure email addresses in Confluence Mail

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-2677. panel Just noticed that http://confluence.atlassian.com/spaces/viewmailarchive.action?key=DOC is showing my full email...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/09/17 9:37 a.m.25 views

MoveIssue does not keep the security issue level after the move.

MoveIssue does not keep the security issue level after the move...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2002/05/22 12:31 p.m.25 views

Problem when signing up for new user Account from login page

I signed up for a new user account from the login page, filled in a username, password, name and e-mail. Then I tried to login with the new username and got this exception: java.lang.NullPointerException at com.opensymphony.module.user.User.getGroupsUser.java:94 at...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/05/11 11:31 p.m.24 views

Directory Traversal vulnerability at plexus-utils dependency in Bamboo Data Center

This High severity File Inclusion vulnerability was introduced in versions 10.0.1, 10.1.0, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H allows an...

8.8CVSS6.2AI score0.00663EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.24 views

DoS (Denial of Service) in Jira Software Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 11.2.0 and 11.3.0 of Jira Software Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N allows an...

8.7CVSS5.7AI score0.00552EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.24 views

DoS (Denial of Service) in Jira Service Management Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 11.2.0 and 11.3.0 of Jira Service Management Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N allow...

8.7CVSS5.7AI score0.00552EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.24 views

Security Headers Omission in Jira Software Data Center

This is a vulnerability in a non-Atlassian Jira Software dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity Security Headers Omission vulnerability was introduced in versions 10.3.0 and 11.3.0 of Jira Software Data Center...

9.1CVSS7.2AI score0.0048EPSS
Exploits2
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.24 views

Improper Encoding org.apache.tomcat:tomcat-catalina Dependency in Jira Software Data Center

This High severity Improper Encoding vulnerability known as CVE-2026-34483 was introduced in version 11.3.0. This Improper Encoding or Escaping of Output vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an unauthenticated attacker to...

7.5CVSS5.8AI score0.00461EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/27 8:29 p.m.24 views

DoS (Denial of Service) in Bitbucket Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.0.1 and 10.0.0 of Bitbucket Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to...

7.5CVSS5.9AI score0.0043EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/16 10:12 p.m.24 views

RCE (Remote Code Execution) org.yaml:snakeyaml Dependency in Jira Software Data Center

This is a vulnerability in a non-Atlassian Jira dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity RCE Remote Code Execution vulnerability was introduced in versions 11.3.3 of Jira Software Data Center. This RCE Remote Code...

9.8CVSS6.5AI score0.99615EPSS
Exploits7
Atlassian
Atlassian
added 2026/04/14 10:29 p.m.24 views

HTTP Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center

This High severity HTTP Request Smuggling vulnerability was introduced in version 9.6.0, 10.0.0, 10.1.1, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This HTTP Request Smuggling vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N...

7.5CVSS5.7AI score0.00453EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/14 10:29 p.m.24 views

Injection org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center

This High severity Injection vulnerability was introduced in version 9.6.0, 10.0.0, 10.1.1, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This Injection vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an unauthenticated...

7.5CVSS5.8AI score0.00461EPSS
Exploits0
Atlassian
Atlassian
added 2026/03/11 4:55 p.m.24 views

DoS (Denial of Service) Apache Struts Dependency in Bamboo Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, and 12.0.0 of Bamboo Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.1, allows an authenticated attacker to cause a resource to be...

7.5CVSS5.8AI score0.01456EPSS
Exploits0
Atlassian
Atlassian
added 2026/03/06 5:29 a.m.24 views

File Inclusion node-tar Dependency in Jira Software Data Center

This High severity File Inclusion vulnerability was introduced in versions 9.15.2, 9.16.0, 9.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.1 of Jira Software Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2 and a CVS...

8.2CVSS6AI score0.00541EPSS
Exploits1
Total number of security vulnerabilities4295