4295 matches found
XSS vulnerability found in profile settings
There was a XSS vulnerability found in profile settings pages...
Windows 4.0 prompted "Untrusted Certificate" error in Rooms
h3. Summary When accessing specific rooms with URL from an untrusted website, the error message "Untrusted Certificate" appears, prompt if you want to trust the certificate and continue. !Screen Shot 2016-01-22 at 10.28.08 AM.png|thumbnail! h3. Environment Windows h3. Actual Results The following...
Stronger algorithm used to digest instance admin password
Let's use PKCS5S2...
One Crucible admin can get access to repository password provided by another admin
It was possible to retrieve the repository passwords provided by another administrator via web browser session. It was fixed now, so password can still be changed or unset if necessary, but it is not possible to read its contents...
Disable Quartz Phone Home
Quartz's phone home has not yet been disabled in Crowd. http://quartz-scheduler.org/documentation/best-practices suggests setting org.terracotta.quartz.skipUpdateCheck=true as a system property to disable this check...
Disabled Users Receive Notification from Team Calendar
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-48834. panel h3. Summary Confluence disabled users that subscribed to a calendar still receive notifications when calendar have...
Stop Watching Page in email footer is broken
The link is broken, the error message says that the security token is missing...
Project's permission bypass JIRA global permissions
h3. Summary Users are able to create/comment issues via email without group membership if they are added directly to the project's permission. User shouldn't be able to do that since he can't access the application itself. Same applies to JIRA's notifications. h3. Steps to Reproduce Remove user...
Space permissions ignored in list of blog posts by date
h3. Summary Users have the ability to view a list of all blog posts, even from spaces in which they don't have permission to access. h3. Steps to Reproduce Install Confluence 5.7.x Create two spaces Space A Space B remove all permissions for confluence-users Create a blog post in Space A Create a...
Update Java version bundled in the installer
The version of Java bundled with Confluence is 1.7.015 which is a little bit dated February 2013. We should bundle the latest version of Java 7 to ship the latest bug fixes and security patches. Updating the version of Java will also solve CONF-31688...
Restrictions not applied for inline comments in attachments
When there is a comment for a file which is attached to a restricted page, all users can see the comment, even the ones who are not allowed to see the page and its attachments. h3. Workaround for 5.7 There is no workaround for customers running Confluence 5.7. Customers are advised to upgrade to...
Disable SSLv3 in outgoing HTTPS connections from Confluence
SSLv3 is an old protocol and has been superseded by TLSv1.0, TLSv1.1 and TLSv1.2. TLSv1.0 was first defined in January 1999 and java 6 supports and uses it as the default client version in TLS handshake. SSLv3 is old and limits the ciphers that can be used. SSLv3 is also vulnerable to POODLE. We...
Request access to this page. userFullName can be modified.
Steps to reproduce: 1.-Create a page and grant permissions only for you 2.-Modify this url to point to your pageId https://extranet.atlassian.com/pages/viewpage.action?pageId=XXXXXXX&username=scia&userFullName=Scott%2BFarquhar&grantAccess=true 3.- You will be asked to grant Scott Farquhar...
Use of atlassian-whitelist plugin allows CORS access to origins which it should not
The ApplicationLinkMatcher class|https://bitbucket.org/atlassian/atlassian-whitelist/src/9ba2728450d8fe880d3d30e74cc0c75a427e66fb/atlassian-whitelist-api-plugin/src/main/java/com/atlassian/plugins/whitelist/applinks/ApplicationLinkMatcher.java?at=master and the SelfUrlMatcher...
OGNL Double Evaluation Vulnerability
We have discovered and fixed a vulnerability in our fork of WebWork. Attackers can use this vulnerability to execute Java code of their choice on systems that use this framework. The attacker needs to be able to access the Crucible web interface. All versions of Crucible up to and including 3.6.1...
SSLv3 Is Not Disabled When sslProtocol is Set to TLS, Vulnerable to POODLE
The default connector as written in /conf/server.xml uses sslProtocol="TLS". This should only enable TLS connectors, but it also enables SSLv3. Our documentation and the included server.xml need to be updated to reflect the correct settings to enable only TLS. h3. Reproduction steps: Follow the...
XSS in page editor via Shortcut links
Steps to reproduce: 1. add new shortcuts with default alias like "". 2. by typing searchterms@aliasname in page editor you can trigger XSS By replacing existing shortcut with malicious one, we can easily exploit multiple users using this functionality...
Activity stream on JAC contains updates from another user
Jira prompted me to change my time zone, and brought me to a profile that seems to be for a completely different user who happens to share my first name and last initial. See attached screen shot. Going directly to https://secretlocation.atlassian.net/secure/ViewProfile.jspa shows me the proper...
Adding Subscription Cal by URL stores user password unencrypted
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-48402. panel I discovered that calendar subscriptions not only store user credentials, but do so unencrypted!!! There is really ...
Add global option "Enable group <anyone>"
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-39912. panel As mentioned in JRA-18076 and JRA-23255, the predefined group anyone poses security risks in many cases as it exposes projects t...
Content injection caused by failing to encode the url
The exampleURLPrefix variable given to the single-xml-header.vm|https://stash.atlassian.com/projects/JIRA/repos/jira/browse/jira-components/jira-core/src/main/resources/templates/plugins/issueviews/single-xml-header.vm11 or...
Seemingly malformed PNG file will cause JIRA to OOM within seconds
.atlassian.net was chain-OOM-ing earlier today. jworley was able to narrow it down to an image attachment on a particular issue. It's only a 300KB PNG file a screenshot from an Android device but it causes JIRA to OOM almost immediately. I've been able to replicate that behaviour on my jira-dev...
Remote DoS Exploit on JIRA
An attacker is able to perform the billion laughs attack on a default JIRA installation including OnDemand installations. This attack can be executed without authentication and leads to the complete use of resources on the victim machine causing the server to crash or hang. It is possible due to...
Stash uses plain text passwords in the database for the Crowd User Directory
I managed to accidentely lock myself out of my stash instance this morning during a routine upgrade and while looking for the name of a local stash user account I noticed that the password for the Crowd User Directory I'd setup incorrectly was stored as plain text in table cwddirectoryattribute...
Restrictions do not apply in calendar macro
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-49762. panel Team Calendar restrictions do not apply if the calendar is in a Calendar Macro withing a Confluence page. +Repro...
Jira outputs a stack trace to the screen when an error is encountered
When an error condition is triggered by a user or black-box security scanner such as Acunetix, the system provides an appropriate error page. However, the error page includes the stack trace which the scanner will determine to be a potential Information Disclosure vulnerability because the stack...
Jira outputs a stack trace to the screen when an error is encountered
panel h3. Problem When users are greeted by the error 500 page, they can click on the Request assistance link to expand and see the long stack trace of the error that occurs. The information is not useful to most of the end users but it's not possible to hide it from them. h3. Suggestion To have ...
Accept Answer URL should be idempotent and accept PUT or POST requests only
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-46610. panel Answers currently users a single URL to both accept and un-accept answers: noformat $baseurl/acceptanswer/$answeri...
XSS in the view parameter of several actions
The following XSS issues were detected by a customer. /changelog?max=30&view=cru%22;alert4015891;//%22&@asv=cru /project/CR?max=30&projectKey=CR&view=all";alert3166631;//"&@asv=all /user/c30626?max=30&name=c30626&view=all";alert1287220;//"&@asv=all...
Bamboo crashes when XSRF protection is enabled and proxy is wrongly configured
The new feature to enable XSRF protection|https://confluence.atlassian.com/display/BAMBOO/Configuring+XSRF+protection introduced in Bamboo 5.3, causes a crash if the tomcat proxy config are wrongly configured. Steps to reproduced Configure Bamboo to use modproxy as detailed here:...
XSS vulnerability in 'Share a link' blueprint
Open the Create dialog - Select "Share a Link" article - In the 'Topics' field, enter an attack string such as: alert"hello" =The script will be executed...
UploadAction.execute vulnerable to CSRF
Sub-issue from CONF-27960. UploadAction.execute upload.action does not have CSRF protection...
The xsrf cookie token is not a 'secure' cookie for secure('https') requests
To prevent against man in the middle attacks the xsrf cookie token should have the 'secure' attribute set...
RSS Macro should not trust all content from the origin server by default.
The RSS feed macro currently appears to be enabled by default in Confluence. This is contrary to the information contained in the following Confluence documentation: https://confluence.atlassian.com/display/DOC/RSS+Feed+Macro While a whitelist is enforced by default, as confluence implicitly trus...
Persistent cross-site scripting (XSS) via DailyMotionRenderer
A number of renderer classes used by the widget macro were previously identified that contained URL validation flaws leading to persistent cross-site scripting XSS vulnerabilities. The modified classes now make use of the isUrlMatch method from the WidgetConnectorUtil class in the implementation ...
Unauthenticated access to private information via tinymce plugin
It is possible for unauthenticated users to retrieve information from a Confluence instance, including tables of contents and change histories for private pages, and lists of all attachments in a space, by making calls to the preview function of the macro REST API in the confluence-tinymce-plugin...
execution of javascript from filename
Steps to replicate: Add an attachment Rename the file to ".txt" Copy its remove link and open the link in a new browser window Result: The JavaScript code is executed, rather than showing the "proceed w/ deletion" screen. Everything works normally if you just click the delete button rather than...
Resource file path traversal in IconDownloadResourceManager
To reproduce: 1. Create a new page title doesn't matter. 2. Insert an image with URL: code:none /confluence/images/icons/profilepics/../../../WEB-INF/classes/crowd.properties code with /confluence/ replaced with the correct base path. Edit the page, click +, click Image, select the From the Web...
XSS vulnerability in the Office Powerpoint macro (Office Connector)
To reproduce: 1. Attach a ".ppt" file to the page. any file with that extension - doesn't need to be a powerpoint file 2. Add "Office Powerpoint" macro with Slide Number as: code "alertdocument.domain code 3. View page. See officeconnector, PptConverter.java, line...
XSS vulnerabilities in Atlassian Answers
Some users seem to try XSS attack on Atlassian Answers. How to replicate is the following steps. Go to the top page https://answers.atlassian.com/. Chose "Browse", "Users" and "Sort By Username" then a alert dialogue box will appear...
XSS in organisationId in /secure/admin/UpdateBitbucketCredentials.jspa
OrganisationId is passed unfiltered into the results page. Contents of the field persist through the "missing XSRF token" screen, so exploitation is trivial - just get your victim to click on the link. noformat GET...
Activity stream not respecting parent page restrictions
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-28543. panel The Confluence Activity stream will display all pages that the user has access to according to the restrictions...
XSS vulnerability in invite-users-panel.vm [$i18n.getText('easyuser.send.invitations.email.placeholder', [$siteTitle]), line 37]
Panopticon http://panopticon.dyn.syd.atlassian.com/ has detected that the following file contains a XSS vulnerability. This vulnerability has been manually confirmed. File: confluence-plugins/confluence-bundled-plugins/confluence-easyuser-admin/src/main/resources/templates/invite-users-panel.vm...
REST session not terminated
panel This issue deals with how JIRA manages session requests to the REST/SOAP API. The related issue JRA-27050 deals with session management for web Crawlers. The related issue JRA-27047 deals with session management for stateless requests to the REST/SOAP API. panel h4. Expected behavior 1. On...
Customized variables whose values are hidden passwords are unmasked revealing the password in the build summary
Step to replicate Create two variables passworder and Passworder notice p with caps Run a customize build overridden the contents of the field While the fields remains hidden in the metadata as expected, the variable with capital P has it values revealed in the build summary see screenshot...
XSS bug in detail view epic name lozenge rendering
6.1 introduced an xss bug in the detail view, more specifically in the epic field that displays to which epic an issue belongs to...
XSS in Issue Collector
Hi Atlassian! There is a XSS vulnerability in the issue collector: File: /atlassian-jira-5.1.8-source/jira-issue-collector-plugin/src/main/resources/templates/view-collector.vm Line 82: $issue.summary Anonymous users can inject JS in the issue summary which usually will be executed by users with...
User email showing in suggestions section with visibility set to hidden
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-29690. panel Assignee user-picker shows user email in Suggestions section, with User Email Visibility set to hidden. Steps to reproduce: Emai...
Session expiry pages may echo password in clear text
The "session expiry" and "XSRF token missing" pages will echo any submitted values. This may result in echoing the submitted password to the page in plain text if triggered on the WebSudo authentication page. Modify the error pages sessionexpired.jsp and xsrfmissing.jsp so they don't echo...
GH Webwork actions are vulnerable to XSRF.
GHCreateNewIssue.jspa is not protected against XSRF attacks. Impact: It is possible for an attacker to make a victim create new issues on the victim's JIRA instance through this bug in GHCreateNewIssue.jspa...