Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2008/09/15 4:25 p.m.24 views

XSS in RSS feed creation

URL http://localhost:8080/dashboard/doconfigurerssfeed.action The RSS feed creation process is vulnerable to XSS attacks. It is possible to inject javascript code into the page by changing the types field to: types="alertdocument.cookie complete example from the testenvironment:...

6.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/09/15 4:25 p.m.24 views

XSS in RSS feed creation

URL http://localhost:8080/dashboard/doconfigurerssfeed.action The RSS feed creation process is vulnerable to XSS attacks. It is possible to inject javascript code into the page by changing the types field to: types="alertdocument.cookie complete example from the testenvironment:...

6.4AI score
Exploits0
Atlassian
Atlassian
added 2008/08/19 5:10 a.m.24 views

The TrustedApplicationsFilter doesn't work for /rpc/* URLs

The sessioninview filter doesn't cover rpc URLs I think because this meant that RPC actions didn't show up in the DB until the response what completely written This means that lazily loaded data returned by the HibernateTrustedApplicationDao causes problems when the TrustedApplicationsFilter trie...

0.6AI score
Exploits0
Atlassian
Atlassian
added 2008/05/13 1:52 p.m.24 views

XSS in DWR

Confluence still uses DWR 1.1.4. This version contains a Cross Site Scripting Vulnerability in the handling of error messages. Example...

1.9AI score
Exploits0
Atlassian
Atlassian
added 2008/04/21 4:28 p.m.24 views

XSS vulnerability in viewinfo.action

Referrer URLs are not encoded in viewinfo.vm...

2.1AI score
Exploits0
Atlassian
Atlassian
added 2007/11/12 3:22 a.m.24 views

Bulk Move does not update the Security Level of subtasks

When doing a bulk move, Parent issues moved to a new project must take any subtasks with them. If the new project has a different Issue Security scheme, then issues should get the default issue security in the new project. Currently a bulk move will change the security setting of parent issues, b...

1.2AI score
Exploits0
Atlassian
Atlassian
added 2007/10/03 2:58 a.m.24 views

Velocity does not automatically escape HTML entities when substituting variables

Velocity should automatically escape encode HTML entities in variables it interpolates in markup. This would remove the need for explicitly escaping variables using $generalUtil.htmlEncode, and fix lots of XSS bugs including ones we haven't discovered yet. This affects all versions of Confluence...

2.2AI score
Exploits0
Atlassian
Atlassian
added 2007/09/25 8:45 p.m.24 views

Cross-site scripting vulnerability in /dashboard.action

The test successfully embedded a script in the response, which will be executed once the page is loaded in the user's browser. This means that the application is vulnerable to the Cross-Site Scripting attack. 1 of 3 Cross-Site Scripting in Parameter Name Severity: High Test Type: Application...

5.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/08/28 5:57 a.m.24 views

Unwanted Access to File System via Import Pages Functionality

security vulnerability found in Confluence 2.5.6 Space administrator can use the "Import Pages from Disk" feature to browse the server file system by pointing the importer at "/" folder or any other folder. Because this folder doesn't contain expected files, an error message is displayed,...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/19 12:56 p.m.24 views

XSS vulnerability in app/pages/listpages-alphaview.action

Description: XSS via the "startsWith" field in pages/listpages-alphaview.action. Exploit: noformathttp://app/pages/listpages-alphaview.action?key=&startsWith=xss:alertdocument.cookienoformat...

0.7AI score
Exploits0
Atlassian
Atlassian
added 2007/07/19 8:51 a.m.24 views

People Directory search can be misused to retrieve email addresses of all users

Even when email addresses should be hidden because of global settings, it is possible to retrieve email addresses of all the users in the system by misusing search in people directory. It seems that the email address is one of the attributes that are being indexed by the search engine. So if one...

0.9AI score
Exploits0
Atlassian
Atlassian
added 2007/02/18 10:28 p.m.24 views

Deleting user does not remove the user from a permission scheme

If a single user is added to a permission in a permission scheme, deleting this user will not remove him/her from the permission scheme. This results in stack traces in the logs such as: noformat 2007-02-14 14:10:57,882 WARN atlassian.jira.scheme.AbstractSchemeManager 'fred' is not a valid user...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/04/01 11:52 a.m.24 views

Character not allowed in user name

A user has sign up with the user name "m&m". The i tried to modify this user. Because the username is passed as url parameter FooServlet?name=m&m : GET or POST method the servlet container cut the name and try to retreive the username named "m" !!! The only way is to use a database client, change...

1.7AI score
Exploits0
Atlassian
Atlassian
added 2004/01/19 3:3 a.m.24 views

Add a generic HTML cleaning service

This will be able to be used by all components that need to display untrusted HTML: including HTML attachments, RSS feeds, and the html-include macro...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2003/09/18 8:16 p.m.24 views

should be able to login only via https

you should be able to configure JIRA to login via HTTPS. this is almost possible in 2.4.1. You can specify an https URL in security-config.xml as the login.url parameter. this makes loing links from e.g. the issue view page work correctly. a slight problem here is that the session remiains in the...

Exploits0Affected Software1
Atlassian
Atlassian
added 2026/06/02 4:30 p.m.23 views

DoS (Denial of Service) minimatch Dependency in Confluence Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 8.9.0, 9.0.1, 9.0.3, 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.2AI score0.00472EPSS
Exploits1
Atlassian
Atlassian
added 2026/05/15 7:49 a.m.23 views

Improper Encoding org.apache.tomcat:tomcat-catalina Dependency in Jira Service Management Data Center

This High severity Improper Encoding vulnerability known as CVE-2026-34483 was introduced in version 11.3.0. This Improper Encoding or Escaping of Output vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an unauthenticated attacker to...

7.5CVSS5.8AI score0.00461EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/11 11:33 p.m.23 views

DoS (Denial of Service) at commons-fileupload dependency in Crucible Server

This High severity DoS Denial of Service vulnerability was introduced in version 4.9.0 of Crucible Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to cause a resource to...

7.5CVSS5.8AI score0.46836EPSS
Exploits1
Atlassian
Atlassian
added 2026/05/11 11:30 p.m.23 views

Security Misconfiguration vulnerability at Tomcat dependency in Bamboo Data Center

This High severity Security Misconfiguration vulnerability was introduced in version 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0 and 12.1.0 of Bamboo Data Center. This Security Misconfiguration vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.8AI score0.00259EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/22 8:29 p.m.23 views

Information Disclosure in Confluence Data Center

This High severity Information Disclosure vulnerability was introduced in versions 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This Information Disclosure vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.8AI score0.03494EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/16 1:5 p.m.23 views

Improper Authorization commons-beanutils:commons-beanutils Dependency in Jira Service Management Data Center

This High severity Improper Authorization vulnerability was introduced in versions 5.12.1, 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, and 10.7.1 of Jira Service Management Data Center. This Improper Authorization vulnerability, with a CVSS Score of 8.8 and a...

8.8CVSS7.5AI score0.01548EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/14 10:30 p.m.23 views

XSS (Cross Site Scripting) dompurify Dependency in Bamboo Data Center

This High severity XSS Cross Site Scripting vulnerability was introduced in versions 10.0.1, 10.2.15, 12.0.0 and 12.1.2 of Bamboo Data Center. This XSS Cross Site Scripting vulnerability, with a CVSS Score of 7.3 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L allows an...

7.3CVSS5.5AI score0.00844EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/14 10:29 p.m.23 views

Information Disclosure org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center

This High severity Information Disclosure vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.1, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This Information Disclosure vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N...

7.5CVSS5.7AI score0.00447EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/10 10:29 p.m.23 views

HTTP Request Smuggling io.netty:netty-codec-http Dependency in Confluence Data Center

This High severity HTTP Request Smuggling vulnerability was introduced in version 8.9.0, 9.0.1, 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, 10.2.0 of Confluence Data Center. This HTTP Request Smuggling vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.8AI score0.0064EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/08 4:29 a.m.23 views

DoS (Denial of Service) org.bitbucket.b_c:jose4j Dependency in Confluence Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 8.9.0, 9.0.1, 9.1.0, 9.2.0, 9.2.14, 9.3.1, 9.4.0, 9.5.1, and 10.2.3 of Confluence Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.7AI score0.00244EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/08 4:29 a.m.23 views

Injection immutable Dependency in Confluence Data Center

This High severity Injection vulnerability was introduced in versions 9.0.1, 9.0.3, 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This Injection vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of...

9.8CVSS5.7AI score0.00978EPSS
Exploits1
Atlassian
Atlassian
added 2026/03/11 10:29 p.m.23 views

XSS (Cross Site Scripting) dompurify Dependency in Bitbucket Data Center

This High severity XSS Cross Site Scripting vulnerability was introduced in versions 8.19.0, 9.0.1, and 10.0.0 of Bitbucket Data Center. This XSS Cross Site Scripting vulnerability, with a CVSS Score of 7.3 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L allows an unauthenticate...

7.3CVSS5.7AI score0.00844EPSS
Exploits0
Atlassian
Atlassian
added 2026/03/11 4:58 p.m.23 views

RCE (Remote Code Execution) in Bamboo Data Center

This High severity RCE Remote Code Execution vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.6, allows an authenticated attacker to execute...

8.6CVSS6.1AI score0.00507EPSS
Exploits0
Atlassian
Atlassian
added 2026/03/11 4:55 p.m.23 views

DoS (Denial of Service) Apache Struts Dependency in Bamboo Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, and 12.0.0 of Bamboo Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.1, allows an authenticated attacker to cause a resource to be...

7.5CVSS5.8AI score0.01456EPSS
Exploits0
Atlassian
Atlassian
added 2026/01/20 6:59 a.m.23 views

Injection sha.js Dependency in Jira Service Management Data Center and Server

This High severity Injection vulnerability was introduced in versions 10.3.0, 11.0.0, 11.1.0, and 11.2.0 of Jira Service Management Data Center and Server. This Injection vulnerability, with a CVSS Score of 7.4 and a CVSS Vector of code:java CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:Hcode allows...

9.1CVSS7.4AI score0.00651EPSS
Exploits2
Atlassian
Atlassian
added 2026/01/09 4:27 p.m.23 views

mXSS (mutation Cross-Site Scripting) dompurify Dependency in Jira Software Data Center and Server

This is a vulnerability in a non-Atlassian Jira dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity nesting-based mXSS mutation Cross-Site Scripting vulnerability was introduced in version 10.3.0 of Jira Software Data Center...

10CVSS5.8AI score0.01093EPSS
Exploits2
Atlassian
Atlassian
added 2025/12/12 7:28 a.m.23 views

RCE (Remote Code Execution) org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server

This High severity RCE Remote Code Execution vulnerability was introduced in versions 8.19.0, 9.4.0, and 10.0.0 of Bitbucket Data Center and Server. This RCE Remote Code Execution vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H allows an...

7.5CVSS8.6AI score0.66535EPSS
Exploits4
Atlassian
Atlassian
added 2025/12/10 2:3 a.m.23 views

XXE (XML External Entity Injection) Tika Dependency in Jira Software Data Center and Server

This Jira Software release includes updates to our Apache Tika dependency in response to CVE-2025-66516. Our security team has assessed that the current scope of this CVE does not present the same critical risk in our products, as our use of the dependency doesn’t support the known path for...

9.8CVSS8.4AI score0.79807EPSS
Exploits5
Atlassian
Atlassian
added 2025/08/07 10:21 a.m.23 views

DoS (Denial of Service) in Crowd Data Center

This High severity DoS Denial of Service vulnerability was introduced in version 6.3.1 of Crowd Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 8.7, allows an attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely disruptin...

7.5CVSS6.9AI score0.64718EPSS
Exploits1
Atlassian
Atlassian
added 2025/05/14 5:9 a.m.23 views

DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.9.10, 8.13.6, 8.14.6, 8.15.0, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score ...

7.5CVSS7.8AI score0.01119EPSS
Exploits1
Atlassian
Atlassian
added 2025/04/03 6:12 a.m.23 views

DoS (Denial of Service) io.netty:netty-handler Dependency in Confluence Data Center and Server

This High severity io.netty:netty-handler Dependency vulnerability was introduced in versions 7.19 of Confluence Data Center and Server. This io.netty:netty-handler Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS6.8AI score0.01966EPSS
Exploits1
Atlassian
Atlassian
added 2025/02/13 4:13 p.m.23 views

BASM (Broken Authentication & Session Management) org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server

This Critical severity org.apache.tomcat:tomcat-catalina Dependency vulnerability was introduced in versions 5.2.0, 5.3.0, 6.0.1, 6.1.0, and 6.2.0 of Crowd Data Center and Server. This org.apache.tomcat:tomcat-catalina Dependency vulnerability, with a CVSS Score of 9.8 and a CVSS Vector of...

9.8CVSS9.1AI score0.06287EPSS
Exploits1
Atlassian
Atlassian
added 2025/02/13 1:13 a.m.23 views

org.postgresql:postgresql Dependency in Bitbucket Data Center and Server

This High severity org.postgresql:postgresql Dependency vulnerability was introduced in version 8.0 of Bitbucket Data Center. A version of the PostgreSQL JDBC driver is bundled in the Mesh Application /app/WEB-INF/mesh/mesh-app.jar however Mesh does not use the PostgreSQL driver, rather it uses a...

9.8CVSS7.5AI score0.0301EPSS
Exploits1
Atlassian
Atlassian
added 2025/02/12 6:48 p.m.23 views

Third-Party Dependency in Bitbucket Data Center

This High severity Third-Party Dependency vulnerability was introduced in version 9.4.0 of Bitbucket Data Center. This Third-Party Dependency vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, allows an unauthenticated attacker to expose...

8.8CVSS7AI score0.72648EPSS
Exploits15
Atlassian
Atlassian
added 2024/12/04 1:18 a.m.23 views

RCE (Remote Code Execution) org.apache.avro:avro Dependency in Confluence Data Center and Server

This High severity org.apache.avro:avro Dependency vulnerability was introduced in versions 6.5 of Confluence Data Center and Server. This org.apache.avro:avro Dependency vulnerability, with a CVSS Score of 7.3 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L allows an...

9.2CVSS7.5AI score0.03278EPSS
Exploits0
Atlassian
Atlassian
added 2024/10/23 4:58 a.m.23 views

Prototype Pollution json5 Dependency in Confluence Data Center

This High severity json5 Dependency vulnerability was introduced in versions 5.9 of Confluence Data Center. This json5 Dependency vulnerability, with a CVSS Score of 7.1, allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to...

8.8CVSS6.3AI score0.09304EPSS
Exploits1
Atlassian
Atlassian
added 2024/09/27 12:21 a.m.23 views

Allow HTTP Strict Transport Security (HSTS) to be configured in Bamboo 10

h3. Issue Summary This is reproducible on Data Center: / Up until Bamboo 9.6, HTTP Strict Transport Security|https://tools.ietf.org/html/rfc6797 was configurable in Bamboo by following the steps outlined in this KB article: How do I enable HSTS and other HTTP Security Headers in Bamboo Data...

7.2AI score
Exploits0
Atlassian
Atlassian
added 2024/09/05 11:20 a.m.23 views

[9.0] Fix Risky deserialization calls

h3. Issue Summary fix This is reproducible on Data Center: Yes h3. Steps to Reproduce Cannot be reproduced h3. Expected Results Where possible, restrict the set of classes that can be deserialized. OWASP’s recommendation for readObject calls is to subclass the ObjectInputStream class, and overrid...

7AI score
Exploits0
Atlassian
Atlassian
added 2023/09/25 5:35 p.m.23 views

User with system administrator privilege can search restricted pages.

h3. Issue Summary Starting Confluence 8.5.1 when a user is granted System administrator permission at Global permissions. The user can search for Restricted content and the restricted page gets displayed in search, when tried to access it says "Page can't be found". This behaviour is not...

6.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/03/16 4:8 a.m.23 views

REST API Endpoint Leaked private project to unauthorized user

Affected versions of Atlassian Jira Service Management Server and Data Center allow an authenticated attacker who doesn't have permission to access a project to view the names of private projects via an Information Disclosure vulnerability in the /rest/insight/1.0/project/picker endpoint. Affecte...

5.9AI score
Exploits0
Atlassian
Atlassian
added 2022/03/11 1:55 p.m.23 views

Jira does not invalidate session after a password change

When a user changes their username via the UI the session cookie is not invalidated. For security purposes, all sessions should be invalidated and require the user to sign back in with the new password...

2.7AI score
Exploits0
Atlassian
Atlassian
added 2021/07/15 9:11 a.m.23 views

Preventing path disclosure in file upload functionality and Page export for security purposes

h3. Issue Summary While performing the file upload vulnerability test in confluence application, we are able to identify the sensitive path disclosure in following cases. • When we attached some malicious file and tried to downloading all attachments. • When we uploaded malicious file and tried t...

1.5AI score
Exploits0
Atlassian
Atlassian
added 2021/06/30 3:31 p.m.23 views

Attachment name, in questions/answers, is searchable despite not having Permissions for Questions

h4. Summary The questions plugin allows administrators to restrict its usage to groups/users, similar to Confluence Permissions. Attachments uploaded to these questions/answers can be found by users that do not have Questions Permission. However, while the attachment can be searched and its title...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/01/14 9:36 p.m.23 views

SSRF when adding Jira server in admin plugin

h2. Please be aware that Atlassian does not consider this issue to represent a security risk as the functionality is restricted to users with administrative rights. h3. Issue Summary When adding a Jira server in Bamboo under the "User directories" module, an attacker can put any value in the...

0.1AI score
Exploits0
Atlassian
Atlassian
added 2019/08/06 2:4 p.m.23 views

Linking image renders image as HTTP instead of HTTPS

h3. Issue Summary Linking existing image on Confluence page will appear as broken image due to mix content. The request url is rendered with HTTP instead of HTTPS. h3. Steps to Reproduce Create/edit a page. Click + and select Files and images. Attach an image to the page. Click on image and then...

Exploits0Affected Software1
Total number of security vulnerabilities4295