4295 matches found
Session expiry pages may echo password in clear text
The "session expiry" and "XSRF token missing" pages will echo any submitted values. This may result in echoing the submitted password to the page in plain text if triggered on the WebSudo authentication page. Modify the error pages sessionexpired.jsp and xsrfmissing.jsp so they don't echo...
Inherit Edit Restrictions for Child Pages
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-26446. panel As it said in Documentation for Page Restrictions|https://confluence.atlassian.com/display/DOC/Page+Restrictions:...
GH Webwork actions are vulnerable to XSRF.
GHCreateNewIssue.jspa is not protected against XSRF attacks. Impact: It is possible for an attacker to make a victim create new issues on the victim's JIRA instance through this bug in GHCreateNewIssue.jspa...
There is a reflected xss flaw in the settings.action of dailysummary settings.action.
There is a reflected xss flaw in the settings.action of dailysummary settings.action as the username parameter is not html encoded before being rendered on the page. Here is an example of a reflected xss it adds a picture of a lolcat to the page...
Persistent xss flaw in the revision history (of comments).
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47387. panel Whilst a comment is html encoded /sanitized when displayed within an answer to a question the revision history page...
XSS vulnerability in the "import word document" page action through the page name
On the "import word document" page action the name of the confluence page is a persistent xss vector as it is not encoded. How to Reproduce: 1. Create a confluence page with the following title noformat XSS"/alert'XSS' noformat 2. Navigate to the created page 3. Under the tools menu select "Impor...
XSS (reflected) in rankVMID parameter of GetRankPage.jspa
As per https://sdog.jira.com/browse/JSTDEV-2110 Targets:...
ValidationHash generation should use random.SystemRandom instead of random class
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-47146. panel ValidationHash generation should use random.SystemRandom instead of the random.Random class when generating a rand...
Javascript escape the value of "dark features" within the javascript context they are rendered out in
Current user specific dark feature values are not javascript escaped in the javascript context they exist in. e.g. the value "' + evalalert1 ' +" without the double quotes appears like the following in the feature javascript context: / Dark features are features that can enabled and disabled per...
ConsumerConfigurationServlet Open Redirect
The ConsumerConfigurationServlet servlet has an open redirect vulnerability in the doGet method that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated...
AddConsumerReciprocalServlet Open Redirect
The AddConsumerReciprocalServlet servlet has an open redirect vulnerability in the doGet method that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated...
XML Vulnerability in JIRA
We have identified and fixed a vulnerability in JIRA that results from the way third-party XML parsers are used in JIRA. This vulnerability allows an attacker who is an authenticated JIRA user to execute denial of service attacks against the JIRA server. All versions of JIRA up to and including...
XSS vulnerability in /admin/chooseBuildsToMove.action resource
We have identified and fixed a reflected cross-site scripting XSS vulnerability in the Bamboo chooseBuildsToMove resource. This issue is reported in our security advisory on this page: https://confluence.atlassian.com/x/rQP5FQ You can read more about XSS attacks at:...
XSS vulnerability in /agent/configureAgents resource
We have identified and fixed a reflected cross-site scripting XSS vulnerability in the Bamboo configureAgents resource. This issue is reported in our security advisory on this page: https://confluence.atlassian.com/x/rQP5FQ You can read more about XSS attacks at:...
Actions doeditpage,domovepage,docreatepage do not require XSRF token
When checking the application for security leaks, I found that the actions doeditpage, domovepage and docreatepage explicitly set the requireSecurityToken=false in the xwork.xml. This could be a possible leak in an attack scenario. Is there a reason, why these actions should not require the...
Members of confluence-administrators group can browse to restricted pages
Expected behaviour is that a Confluence admin can view a page restricted to others by hitting the URL directly to help resolve any permission issues. In 3.5.x the admins can also browse to these pages via Browse Pages...
Cross-Site Request Forgery
Cross-Site Request Forgery Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to Cross-Site Request Forgery attacks within this URL: /jira/plugins/servlet/streamscomments This vulnerability enables...
XSS vulnerability in FishEye/Crucible Reviews List
We have identified and fixed a cross-site scripting XSS vulnerability in the FishEye/Crucible reviews list. Affected versions are FishEye/Crucible 2.2.8 to 2.5.2 inclusive. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye/Crucible page. You can read...
Profile picture thumbnail generation can consume unlimited amount of memory
Discovered a Studio customer, you can upload a very large profile picture to expose the same problem as CONF-21480, just in a different area of the application. We should limit the size of images we're willing to load into memory to avoid this problem with user pictures...
XSS vulnerability in Pagetree macro
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence pagetree macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...
Intermittent Session Lost During Add/Edit Page in Firefox
We customized Seraph to integrate with our SSO Server. Seraph will perform session validation through cookies. When using firefox, we found that in 1 out of 5 to 8 times when we edit a page or add a new page, we will lose our session and be directed back to the login page. This does not happen in...
XSS vulnerability in Office Connector
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence Office Connector. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An...
Confluence features that require password confirmation (websudo, captcha) do not work with custom authentication
When user is required to confirm the password, Confluence always checks the entered password against the internally stored user/password. If an instance is configured to use custom authentication which is different from atlassian-user, the password validation will fail. h3. Resolution This is fix...
Potential attack vector using attachments
Suspicious handling of attachment uploads with filenames containing quotes the quoted ended up being repeated and semicolons semicolon and all subsequent characters were stripped from filename...
Allow anonymous/public access at page level
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-20737. panel Although a space might be restricted to some groups/users, it is sometimes required to allow public/anonymous acces...
NullPointerException when Switching between Projects or Boards
In my case, the WEB-INF/classes/log4j.properties included has these loggers turned off, but they still seem to run. I am including a patch that ignores the NullPointerException following the pattern of ignoring the ClassNotFoundException. Details below taken from:...
sudo is decorated with global decorator
The reasoning behind preventing theme developers from theming the admin areas was because if you don't know what you are doing then you can mess things up to such an extent that you are unable to use confluence. By decorating the sudo login pages using the global decorator it exposes the user to...
XSS vulnerability in PDF export
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence action that performs the export to PDF. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's o...
500page.jsp Improvements
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-19601. panel Some further improvements to the 500page.jsp: The following should not appear if there is no stack trace: quote...
Put a new security log into JIRA so that important events can be specifically logged
The idea is to have a specific atlassian-jira-security.log that contains important events such as user logged in, logged out, session created and so on. This would allow for more specific information about how is logged into JIRA and when. This has been mooted for a while and is now being done in...
Anonymise config files in support zip
Files included in the generated zip file could contain private information. This issue addresses that by removing all sensitive information before creating the zip. The severity of this issue is HIGH. Please see http://confluence.atlassian.com/x/ZILmD for other security related issues and...
Not all error strings are encoded
A XSS vulnerability where a string could bypass the Anti-XSS mechanism has been identified. This issue corrects this problem. The severity of this issue is rated as LOW. Please see http://confluence.atlassian.com/x/ZILmD for information on other security related issues and our rating system...
Possible XSS injection in attachment upload
A XSS vulnerability has been identified in attachment upload. The severity of this issue has been rated HIGH. Please refer to the security advisory at http://confluence.atlassian.com/x/ZILmD for information on how we rate issues...
JIRA is vulnerable to clickjacking attacks
A clickjacking attack on JIRA would most likely take the form of a third-party site, containing an invisible iframe on top of an unrelated page. The iframe would contain a page in JIRA. The victim would believe he was clicking on the other site but would actually be clicking in JIRA and performin...
XSS vulnerability in Colour Scheme settings
An XSS vulnerability has been discovered in the Colour Scheme settings. The severity of this issue is rated as HIGH. Please refer to the security advisory http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-04-x for details...
XSS Bookmark vulnerabilities
The Add bookmark page is vulnerable to XSS attacks...
issuelinkssmall.jsp has an XSS hole via the URL used to access it
The issuelinkssmall.jsp has an XSS hole, where if the URL contains an XSS string, the ww:url tag will include that tag in the page because the value attribute was left empty...
XSS Vulnerabilities in JIRA
panel:borderColor=ff0000|borderStyle=solid|bgColor=ffccccWarning: This issue is superceded by JRA-21004. Please install the patches on that issue, rather than this one. For more details, see JIRA Security Advisory -...
Include XSS security warning on HTML macro description in Wiki Markup Renderer
Include XSS security warning on HTML macro description in Wiki Markup Renderer. Derived from JRA-19802...
SSL for login page only does not work in Confluence 3.1
URL rewrite does not work for Confluence 3.1. We follow the documentation: http://confluence.atlassian.com/pages/viewpage.action?pageId=158106208 This works only in Confluence 2.10 but not 3.1...
Allow Site Admin to discover restricted pages
A customer mentioned that this functionality is important to have for automation and integration purposes. Currently confluence-administrators are not able to discover restricted pages, despite of their ability to access ie. read the page if they know the url. The customer argued that "this makes...
XSS in PDF screen
The "PDF Export Stylesheet" field is not encoded...
Directory traversal in Profile Picture path - leads to privilege escalation in < 3.0
Confluence allows its users to specify a "Profile Picture," an image that appears on many pages related to the user. A user can either upload a custom image, or select one from a set provided by Confluence. Confluence uses the /users/doeditmyprofilepicture.action path to process requests to chang...
Encrypted passwords in osuser.xml
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-17317. panel We need to set a crypted password instead plain text password in java.naming.security.credentials within osuser.xml...
XSS vulnerability can be exploited with the viewppt macro
Upload a file test.ppt Use markup: noformatviewppt:test.ppt|height=alert"xss"|width=alert"xss"noformat The scripts will be executed when the page is loaded...
XSS vulnerability can be exploited with the viewppt macro
Upload a file test.ppt Use markup: noformatviewppt:test.ppt|height=alert"xss"|width=alert"xss"noformat The scripts will be executed when the page is loaded...
XSS in the Widget Connector
I've been working with the widget connector today and reading through the code when I noticed that the media uris are not being handled securely. try this: widget:url=youtube.com/v="alert'xss' In general there is not a unified way to prevent issues like this in the widget extensions and it is up ...
Assignment of JSESSIONIDs
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-14112. panel I believe it should be a feature in future versions of Confluence to assign a different JSESSIONID to the user's...
Logging event information is not HTML encoded in 500 error page
The Confluence 500 error page lists logging events generated during the request the produced the 500 error page. The strings rendered from this event are not HTML encoded, leaving open a chance for an attacker to exploit this via XSS. I haven't yet investigated to see whether this is actually...
XSS in pagetree plugin
The pagetree plugin is vulnerable for XSS injecting the code in the treeId field. Example below:...