Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2007/07/19 8:51 a.m.24 views

People Directory search can be misused to retrieve email addresses of all users

Even when email addresses should be hidden because of global settings, it is possible to retrieve email addresses of all the users in the system by misusing search in people directory. It seems that the email address is one of the attributes that are being indexed by the search engine. So if one...

0.9AI score
Exploits0
Atlassian
Atlassian
added 2007/02/20 11:13 p.m.24 views

Need ability to limit use of remote API to certain users, or a certain group

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-7913. panel The remote API presents opportunities for denial of service attack. For example: RemoveSpace for a space with many...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/04/01 11:52 a.m.24 views

Character not allowed in user name

A user has sign up with the user name "m&m". The i tried to modify this user. Because the username is passed as url parameter FooServlet?name=m&m : GET or POST method the servlet container cut the name and try to retreive the username named "m" !!! The only way is to use a database client, change...

1.7AI score
Exploits0
Atlassian
Atlassian
added 2004/01/19 3:3 a.m.24 views

Add a generic HTML cleaning service

This will be able to be used by all components that need to display untrusted HTML: including HTML attachments, RSS feeds, and the html-include macro...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/06/02 4:30 p.m.23 views

DoS (Denial of Service) minimatch Dependency in Confluence Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 8.9.0, 9.0.1, 9.0.3, 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.2AI score0.00472EPSS
Exploits1
Atlassian
Atlassian
added 2026/05/15 7:49 a.m.23 views

Improper Encoding org.apache.tomcat:tomcat-catalina Dependency in Jira Service Management Data Center

This High severity Improper Encoding vulnerability known as CVE-2026-34483 was introduced in version 11.3.0. This Improper Encoding or Escaping of Output vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an unauthenticated attacker to...

7.5CVSS5.8AI score0.00461EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/11 11:30 p.m.23 views

Security Misconfiguration vulnerability at Tomcat dependency in Bamboo Data Center

This High severity Security Misconfiguration vulnerability was introduced in version 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0 and 12.1.0 of Bamboo Data Center. This Security Misconfiguration vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.8AI score0.00259EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/22 8:29 p.m.23 views

Information Disclosure in Confluence Data Center

This High severity Information Disclosure vulnerability was introduced in versions 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This Information Disclosure vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.8AI score0.03494EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/16 1:5 p.m.23 views

Improper Authorization commons-beanutils:commons-beanutils Dependency in Jira Service Management Data Center

This High severity Improper Authorization vulnerability was introduced in versions 5.12.1, 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, and 10.7.1 of Jira Service Management Data Center. This Improper Authorization vulnerability, with a CVSS Score of 8.8 and a...

8.8CVSS7.5AI score0.01495EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/14 10:30 p.m.23 views

XSS (Cross Site Scripting) dompurify Dependency in Bamboo Data Center

This High severity XSS Cross Site Scripting vulnerability was introduced in versions 10.0.1, 10.2.15, 12.0.0 and 12.1.2 of Bamboo Data Center. This XSS Cross Site Scripting vulnerability, with a CVSS Score of 7.3 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L allows an...

7.3CVSS5.5AI score0.00844EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/14 10:29 p.m.23 views

Information Disclosure org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center

This High severity Information Disclosure vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.1, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This Information Disclosure vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N...

7.5CVSS5.7AI score0.00447EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/10 10:29 p.m.23 views

HTTP Request Smuggling io.netty:netty-codec-http Dependency in Confluence Data Center

This High severity HTTP Request Smuggling vulnerability was introduced in version 8.9.0, 9.0.1, 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, 10.2.0 of Confluence Data Center. This HTTP Request Smuggling vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.8AI score0.0064EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/08 4:29 a.m.23 views

DoS (Denial of Service) org.bitbucket.b_c:jose4j Dependency in Confluence Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 8.9.0, 9.0.1, 9.1.0, 9.2.0, 9.2.14, 9.3.1, 9.4.0, 9.5.1, and 10.2.3 of Confluence Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.7AI score0.00244EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/08 4:29 a.m.23 views

Injection immutable Dependency in Confluence Data Center

This High severity Injection vulnerability was introduced in versions 9.0.1, 9.0.3, 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This Injection vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of...

9.8CVSS5.7AI score0.00978EPSS
Exploits1
Atlassian
Atlassian
added 2026/03/11 10:29 p.m.23 views

XSS (Cross Site Scripting) dompurify Dependency in Bitbucket Data Center

This High severity XSS Cross Site Scripting vulnerability was introduced in versions 8.19.0, 9.0.1, and 10.0.0 of Bitbucket Data Center. This XSS Cross Site Scripting vulnerability, with a CVSS Score of 7.3 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L allows an unauthenticate...

7.3CVSS5.7AI score0.00844EPSS
Exploits0
Atlassian
Atlassian
added 2026/03/11 4:58 p.m.23 views

RCE (Remote Code Execution) in Bamboo Data Center

This High severity RCE Remote Code Execution vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.6, allows an authenticated attacker to execute...

8.6CVSS6.1AI score0.00507EPSS
Exploits0
Atlassian
Atlassian
added 2026/03/11 4:55 p.m.23 views

DoS (Denial of Service) Apache Struts Dependency in Bamboo Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, and 12.0.0 of Bamboo Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.1, allows an authenticated attacker to cause a resource to be...

7.5CVSS5.8AI score0.01456EPSS
Exploits0
Atlassian
Atlassian
added 2026/01/20 6:59 a.m.23 views

Injection sha.js Dependency in Jira Service Management Data Center and Server

This High severity Injection vulnerability was introduced in versions 10.3.0, 11.0.0, 11.1.0, and 11.2.0 of Jira Service Management Data Center and Server. This Injection vulnerability, with a CVSS Score of 7.4 and a CVSS Vector of code:java CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:Hcode allows...

9.1CVSS7.4AI score0.00651EPSS
Exploits2
Atlassian
Atlassian
added 2026/01/09 4:27 p.m.23 views

mXSS (mutation Cross-Site Scripting) dompurify Dependency in Jira Software Data Center and Server

This is a vulnerability in a non-Atlassian Jira dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity nesting-based mXSS mutation Cross-Site Scripting vulnerability was introduced in version 10.3.0 of Jira Software Data Center...

10CVSS5.8AI score0.01093EPSS
Exploits2
Atlassian
Atlassian
added 2025/12/12 7:28 a.m.23 views

RCE (Remote Code Execution) org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server

This High severity RCE Remote Code Execution vulnerability was introduced in versions 8.19.0, 9.4.0, and 10.0.0 of Bitbucket Data Center and Server. This RCE Remote Code Execution vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H allows an...

7.5CVSS8.6AI score0.66535EPSS
Exploits4
Atlassian
Atlassian
added 2025/12/10 2:3 a.m.23 views

XXE (XML External Entity Injection) Tika Dependency in Jira Software Data Center and Server

This Jira Software release includes updates to our Apache Tika dependency in response to CVE-2025-66516. Our security team has assessed that the current scope of this CVE does not present the same critical risk in our products, as our use of the dependency doesn’t support the known path for...

9.8CVSS8.4AI score0.79807EPSS
Exploits5
Atlassian
Atlassian
added 2025/08/07 10:21 a.m.23 views

DoS (Denial of Service) in Crowd Data Center

This High severity DoS Denial of Service vulnerability was introduced in version 6.3.1 of Crowd Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 8.7, allows an attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely disruptin...

7.5CVSS6.9AI score0.64718EPSS
Exploits1
Atlassian
Atlassian
added 2025/05/13 1:27 a.m.23 views

PrivEsc (Privilege Escalation) in Jira Service Management Data Center

This High severity PrivEsc Privilege Escalation vulnerability was introduced in versions 5.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Service Management Data Center. This PrivEsc Privilege Escalation vulnerability, with a CVSS Score of 7.2, allows an attacker to perform actions as a higher-privileg...

8.8CVSS7AI score0.00445EPSS
Exploits0
Atlassian
Atlassian
added 2025/04/03 6:12 a.m.23 views

DoS (Denial of Service) io.netty:netty-handler Dependency in Confluence Data Center and Server

This High severity io.netty:netty-handler Dependency vulnerability was introduced in versions 7.19 of Confluence Data Center and Server. This io.netty:netty-handler Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS6.8AI score0.01966EPSS
Exploits1
Atlassian
Atlassian
added 2024/12/12 1:37 p.m.23 views

SSRF (Server-Side Request Forgery) [email protected] (NPM) in Crowd Data Center

This High severity SSRF Server-Side Request Forgery and Third-Party Dependency vulnerability was introduced in versions 6.0.4 and 6.1.2 of Crowd Data Center. This SSRF Server-Side Request Forgery and Third-Party Dependency vulnerability, caused by Axios 1.6.8, with a CVSS Score of 8.6, allows an...

7.5CVSS6.8AI score0.01414EPSS
Exploits1
Atlassian
Atlassian
added 2024/11/05 7:11 p.m.23 views

DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Confluence Data Center and Server

This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 3.7 of Confluence Data Center and Server. This org.bouncycastle:bcprov-jdk18on Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:...

7.5CVSS7.2AI score0.00753EPSS
Exploits0
Atlassian
Atlassian
added 2024/09/05 11:20 a.m.23 views

[9.0] Fix Risky deserialization calls

h3. Issue Summary fix This is reproducible on Data Center: Yes h3. Steps to Reproduce Cannot be reproduced h3. Expected Results Where possible, restrict the set of classes that can be deserialized. OWASP’s recommendation for readObject calls is to subclass the ObjectInputStream class, and overrid...

7AI score
Exploits0
Atlassian
Atlassian
added 2024/08/15 8:11 p.m.23 views

DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Bamboo Data Center and Server

This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server. This org.bouncycastle:bcprov-jdk18on Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS6.6AI score0.011EPSS
Exploits0
Atlassian
Atlassian
added 2024/06/11 5:22 a.m.23 views

Confserver ticket aggregation

Support CONFSERVER ticket aggregation similar to https://hello.atlassian.net/wiki/spaces/JIRASERVER/pages/3002952256/Experiment+-+JSEC+aggregates...

7.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/09/25 5:35 p.m.23 views

User with system administrator privilege can search restricted pages.

h3. Issue Summary Starting Confluence 8.5.1 when a user is granted System administrator permission at Global permissions. The user can search for Restricted content and the restricted page gets displayed in search, when tried to access it says "Page can't be found". This behaviour is not...

6.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/03/11 1:55 p.m.23 views

Jira does not invalidate session after a password change

When a user changes their username via the UI the session cookie is not invalidated. For security purposes, all sessions should be invalidated and require the user to sign back in with the new password...

2.7AI score
Exploits0
Atlassian
Atlassian
added 2021/07/15 9:11 a.m.23 views

Preventing path disclosure in file upload functionality and Page export for security purposes

h3. Issue Summary While performing the file upload vulnerability test in confluence application, we are able to identify the sensitive path disclosure in following cases. • When we attached some malicious file and tried to downloading all attachments. • When we uploaded malicious file and tried t...

1.5AI score
Exploits0
Atlassian
Atlassian
added 2021/06/21 11:34 a.m.23 views

Attachments gets downloaded on Chromium based browsers even after user logs out from Confluence

h3. Issue Summary Attachments gets downloaded on Chromium based browsers even after user logs out from the page h3. Steps to Reproduce Create a new page in Confluence Attach any PDF or picture or any file in that page and then publish the page Copy the image link by right clicking on the image as...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/11/04 7:26 a.m.23 views

User has access to project and repository after global permission has been removed

h3. Problem User has access to project and repository after global permission has been removed. Conversely, a user in this affected state will be greeted with "permission denied" even after the global permission has been re-granted to the user. h3. Environment - Tested on 7.5 and 7.3 h3. Steps to...

7AI score
Exploits0
Atlassian
Atlassian
added 2020/06/08 9:14 p.m.23 views

REST API - Deactivate the REST API

h4. Suggestion Description Confluence Server REST API|https://developer.atlassian.com/confdev/confluence-server-rest-api is active by default and there is no way to deactivate. It should have a similar option like the Enabling the Remote...

2.3AI score
Exploits0
Atlassian
Atlassian
added 2020/01/29 11:18 p.m.23 views

Improper authorization on support files vulnerability in Jira - CVE-2019-20402

Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability...

4.9CVSS5.5AI score0.00766EPSS
Exploits0
Atlassian
Atlassian
added 2019/07/26 3:51 p.m.23 views

Pushing a code with an unlicensed user is possible if it was once a licensed user and an SSH key is added to user's profile

h3. Issue Summary If once licensed users have an SSH key added to their profile, it is still possible for them to push the code once the license had been removed. However, it is not possible to pull the code. h3. Environment Every environment. h3. Steps to Reproduce Create a new user. Add any...

7.2AI score
Exploits0
Atlassian
Atlassian
added 2019/03/29 2:29 p.m.23 views

Copying and pasting Status Macro (or TOC Macro) over https triggers mixed content and breaks certificate trust

h3. Issue Summary Copying and pasting a status macro or TOC over https in the browser will trigger mix content action, it will break the certificate trust on request of: Status macro plugins/servlet/status-macro/placeholder?title=titlehere&colour=Yellow TOC macro...

7AI score
Exploits0
Atlassian
Atlassian
added 2019/03/20 1:3 p.m.23 views

Escape code on Description field when exporting to CSV

When opening CSV files exported through the CSV Export of Jira on Excel, if there are written Excel codes on it, they will run automatically. The suggestion is to provide a setting/configuration that automatically escape special characters on the export...

3.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/10/08 4:37 p.m.23 views

Upgrade Tomcat to the version 8.5.32

h4. Problem Current version of Tomcat 8.5.6 bundled with JIRA pre 7.12.1 is vulnerable to https://tomcat.apache.org/security-8.htmlFixedinApacheTomcat8.5.9...

1.5AI score
Exploits0
Atlassian
Atlassian
added 2017/12/14 11:55 p.m.23 views

Authentication fails using SSH keys since 2.3.5

Neither the Pagent agent or OpenSSH is working to authenticate since I upgraded. Switching SSH services makes no difference. If I go to the command line, using ssh -i identfile I have no issues authenticating to any system. Other symptoms include the terminal not going to the repository but using...

1.3AI score
Exploits0
Atlassian
Atlassian
added 2017/11/27 8:44 a.m.23 views

JQuery Update to the latest version

h3. Definition JQuery is currently at version 1.7.2 where it contains 1 medium security vulnerability. h3. Suggestion To update the JQuery version that does not have a vulnerability threat...

3.2AI score
Exploits0
Atlassian
Atlassian
added 2017/08/21 8:53 p.m.23 views

An issue can be linked to by ID even if link and browse permissions are absent

h3. Problem Definition: If you remove the Link Issues Permission and Browse Projects Permission a user can still create a link if they use the issue key. h3. Steps to Reproduce Create a Project Role and remove the "Browse Projects" and "Link Issues" permissions from that role in a target-project...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/08/18 3:7 a.m.23 views

Missing authorization check in Team Calendar addon

We received external report about missing authorization check in Team Calendar addon quote I found a broken authentication in Confluence Team calendar. A restricted team calendar that only related to a certain restricted space and can only be viewed by the creater himself show up in his profile...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/05/24 3:23 p.m.23 views

Other SD Projects Knowledge Base are accessible through direct link

h3. Summary: If a Customer only able to access one SD Portal and log in to Confluence, it is actually possible for that Customer to access other SD Project KBs through a Direct URL Link including navigating the space. h3. Steps to Reproduce: Prepare a JIRA instance that is connected to Confluence...

1.2AI score
Exploits0
Atlassian
Atlassian
added 2017/05/05 2:23 p.m.23 views

Security Issue: REST API does not respect 'Allow Anonymous Access to Remote API' setting on pages that has anonymous access

h3. Summary Anonymous API access are allowed on on pages that has Anonymous View Permission, even though the 'Allow Anonymous Access to Remote API' setting not ticked h3. Steps to Reproduce Make sure that 'Allow Anonymous Access to Remote API' setting from Confluence Administration Security...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/19 9:31 a.m.23 views

Update application-links to fix APL-1327

Now that https://ecosystem.atlassian.net/browse/APL-1327 has been fixed, upgrade application-links to a version that contains a fix for it. In this case Fecru would update application-links from version 5.2.3 the version comes from the platform pom to version 5.2.4...

1.6AI score
Exploits0
Atlassian
Atlassian
added 2016/11/28 4:10 a.m.23 views

Update atlassian-gadgets in Confluence to fix AG-1502/ACG-5

For Confluence Server as https://ecosystem.atlassian.net/browse/AG-1502 has been fixed, upgrade atlassian-gadgets to a version = 4.2.14 to pick up a fix for AG-1502. For Confluence Cloud as https://ecosystem.atlassian.net/browse/ACG-5 has been fixed, upgrade atlassian-gadgets to a version = 5.1.1...

1.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/09/07 10:25 a.m.23 views

If user is restricted to only view the space they should not be able to create or import a calendar

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-48465. panel panel:title=23 July 2019 Update|bgColor=e7f4fa Hi everyone, thank you for your interest in this ticket. After...

0.4AI score
Exploits0
Atlassian
Atlassian
added 2016/07/07 9:52 p.m.23 views

XSS in newFileName Field

From an external report: quote Confluence recently has been tested and, as a result, we were able to verify the existence of at least one persistent XSS vulnerability. This vulnerability is present in the Edit Attachment feature — specifically in the newFileName field — accessible through the...

6.1AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295