4295 matches found
GetResourceServlet pre-auth arbitrary file download vulnerability
The GetResourceServlet Servlet is vulnerable to an arbitrary file download attack. As the Servlet doesn’t implement its own authorization checks, this can be exploited anonymously. By taking an attacker controlled name parameter and using this in a call to URLConnection.openConnection, an attacke...
ResolveURLServlet pre-auth arbitrary file download vulnerability
The ResolveURLServlet Servlet is vulnerable to an arbitrary file download attack. As the Servlet doesn’t implement its own authorization checks, this can be exploited anonymously. By taking an attacker controlled url parameter and using this in a call to URLConnection.openConnection, an attacker...
XSS in organisationId in /secure/admin/UpdateBitbucketCredentials.jspa
OrganisationId is passed unfiltered into the results page. Contents of the field persist through the "missing XSRF token" screen, so exploitation is trivial - just get your victim to click on the link. noformat GET...
REST session not terminated
panel This issue deals with how JIRA manages session requests to the REST/SOAP API. The related issue JRA-27050 deals with session management for web Crawlers. The related issue JRA-27047 deals with session management for stateless requests to the REST/SOAP API. panel h4. Expected behavior 1. On...
Default application configuration files are available for download
h3. Summary of The Bug By browsing to the following URL path user would be able to download any files under /atlassian-jira/WEB-INF/... code/s/1519/3/1.0//WEB-INF/...code The above URL will be accessible by any users including anonymous even to an instance that does not allow anonymous access h5...
Default application configuration files are available for download
h3. Summary of The Bug By browsing to the following URL path user would be able to download any files under /atlassian-jira/WEB-INF/... code/s/1519/3/1.0//WEB-INF/...code The above URL will be accessible by any users including anonymous even to an instance that does not allow anonymous access h5...
XSS bug in detail view epic name lozenge rendering
6.1 introduced an xss bug in the detail view, more specifically in the epic field that displays to which epic an issue belongs to...
Reflected XSS in Create Issue Details page
The Create Issue Detail page is vulnerable to reflected XSS. 1. Login to https://$JIRA/ 2. Visit https://$JIRA/secure/CreateIssueDetails.jspa?reporter="alert'XSS'alert'XSS'p+name%3D"&pid=10000&issuetype=2...
Reflected XSS in Create Issue Details page
The Create Issue Detail page is vulnerable to reflected XSS. 1. Login to https://$JIRA/ 2. Visit https://$JIRA/secure/CreateIssueDetails.jspa?reporter="alert'XSS'alert'XSS'p+name%3D"&pid=10000&issuetype=2...
SQL injection in DefaultReferralManager
In confluence-core/confluence/src/java/com/atlassian/confluence/links/DefaultReferralManager.java the DefaultReferralManager class the deleteReferrersWithPrefix method is vulnerable to sql injection through the user controlled 'prefix' parameter. It is possible to exploit this issue as an Admin...
Accidental XSRF and DoS consumption-of-space issue
We experienced an unusual growth of our nonspaced attachments that appears to be a DoS vunerability both in an accidental way with a workaround and intentional not easily worked around. This is under Confluence 4.0, but appears to probably apply to 4.3.1 as well. It appears the growing nonspaced...
User email showing in suggestions section with visibility set to hidden
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-29690. panel Assignee user-picker shows user email in Suggestions section, with User Email Visibility set to hidden. Steps to reproduce: Emai...
Group Picker Should Not Listed All Groups
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-26600. panel Confluence will display all groups registered on it when users access any group picker and put value as its search...
The JIRA/Crowd applications fail to properly sanitize user input in the query string of the website or in the value of a parameter
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-29640. panel We need to avoid Cross-site Scripting vulnerabilities. A function should be created to provide server side and client side input...
Session expiry pages may echo password in clear text
The "session expiry" and "XSRF token missing" pages will echo any submitted values. This may result in echoing the submitted password to the page in plain text if triggered on the WebSudo authentication page. Modify the error pages sessionexpired.jsp and xsrfmissing.jsp so they don't echo...
As a JIRA System Administrator, I can instruct web browsers to not allow saving a user's password in the various login options, so that unauthorized users can not access the system.
In some organisations, as part of a set of security requirements, it is required for compliant applications, to disallow users to store there application password in their browser. It would be perfect, if JIRA and all other Atlassian applications would allow to configure the autocomplete="off"...
There is a reflected xss flaw in the settings.action of dailysummary settings.action.
There is a reflected xss flaw in the settings.action of dailysummary settings.action as the username parameter is not html encoded before being rendered on the page. Here is an example of a reflected xss it adds a picture of a lolcat to the page...
Persistent xss flaw in the revision history (of comments).
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47387. panel Whilst a comment is html encoded /sanitized when displayed within an answer to a question the revision history page...
XSS vulnerability in the "import word document" page action through the page name
On the "import word document" page action the name of the confluence page is a persistent xss vector as it is not encoded. How to Reproduce: 1. Create a confluence page with the following title noformat XSS"/alert'XSS' noformat 2. Navigate to the created page 3. Under the tools menu select "Impor...
XSS (reflected) in rankVMID parameter of GetRankPage.jspa
As per https://sdog.jira.com/browse/JSTDEV-2110 Targets:...
multimedia macro allows execution of arbitrary scripts
The multimedia macro in confluence embeds a swf without the 'allowScriptAccess' attribute set to 'none'. This allows the embedded user submitted swf to execute arbitrary javascript on the page, constituting an XSS vulnerability. The multimedia tag is bundled in with the base product and not an...
Javascript escape the value of "dark features" within the javascript context they are rendered out in
Current user specific dark feature values are not javascript escaped in the javascript context they exist in. e.g. the value "' + evalalert1 ' +" without the double quotes appears like the following in the feature javascript context: / Dark features are features that can enabled and disabled per...
ConsumerConfigurationServlet Open Redirect
The ConsumerConfigurationServlet servlet has an open redirect vulnerability in the doGet method that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated...
AddConsumerReciprocalServlet Open Redirect
The AddConsumerReciprocalServlet servlet has an open redirect vulnerability in the doGet method that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated...
AddConsumerReciprocalServlet Open Redirect
The AddConsumerReciprocalServlet servlet has an open redirect vulnerability in the doGet method that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated...
XML Vulnerability in JIRA
We have identified and fixed a vulnerability in JIRA that results from the way third-party XML parsers are used in JIRA. This vulnerability allows an attacker who is an authenticated JIRA user to execute denial of service attacks against the JIRA server. All versions of JIRA up to and including...
XSS vulnerability in /agent/configureAgents resource
We have identified and fixed a reflected cross-site scripting XSS vulnerability in the Bamboo configureAgents resource. This issue is reported in our security advisory on this page: https://confluence.atlassian.com/x/rQP5FQ You can read more about XSS attacks at:...
Members of confluence-administrators group can browse to restricted pages
Expected behaviour is that a Confluence admin can view a page restricted to others by hitting the URL directly to help resolve any permission issues. In 3.5.x the admins can also browse to these pages via Browse Pages...
Enable X-FRAME-Options header to implement clickjacking protection
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-25143. panel TLDR: Add X-FRAME-Options: SAMEORIGIN to all HTTPS pages server config, and test that nothing breaks. --- Description: Current...
Members of confluence-administrators receive notifications for comments and attachments on restricted pages
Members of the special confluence-administrators group have access to all content on the site, however they should not see restricted content in search results or get notifications about changes on restricted pages. There is a bug in the permission check for notifications about "contained" object...
As a developer or release manager I want to be able to create and manage versions in JIRA without having to be given project admin permissions
Currently JIRA only allows a user to create, release and generally manage versions in a project if the user is a project admin. However there are numerous use cases where developers, release managers, project managers, etc. need to be able to perform this function but don't need full admin rights...
XSS vulnerability in FishEye/Crucible Reviews List
We have identified and fixed a cross-site scripting XSS vulnerability in the FishEye/Crucible reviews list. Affected versions are FishEye/Crucible 2.2.8 to 2.5.2 inclusive. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye/Crucible page. You can read...
Profile picture thumbnail generation can consume unlimited amount of memory
Discovered a Studio customer, you can upload a very large profile picture to expose the same problem as CONF-21480, just in a different area of the application. We should limit the size of images we're willing to load into memory to avoid this problem with user pictures...
Deleting a user does not remove the user from its LDAP group
Jira team: I believe this to be a JIRA bug because this scenario does not reproduce in Confluence when it is linked to Crowd. - Add an LDAP directory to Crowd. Make sure to have the "jira-users", "jira-administrators" and "jira-developers" groups exist in LDAP. - Add Crowd Server as a directory t...
XSS vulnerability in Pagetree macro
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence pagetree macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...
XSS vulnerability in Bookmarks macro
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence bookmarks macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...
XSS in filter.subscription.prefix.monthDay parameter of /secure/FilterSubscription.jspa
http://172.16.230.130:8080/secure/FilterSubscription.jspa?filter.subscription.prefix.interval=180&groupName=jira-users&filter.subscription.prefix.runFromMins=00&nextRun=&filter.subscription.prefix.runToMins=00&filter.subscription.prefix.runToMeridian=pm&filter.subscription.prefix.week=2&filter.su...
XSS vulnerability in space key, particularly with decorators off
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-20865. panel As discovered while looking at CONF-20667, Confluence stores the space key unencoded in a content tag. Considerable...
Potential attack vector using attachments
Suspicious handling of attachment uploads with filenames containing quotes the quoted ended up being repeated and semicolons semicolon and all subsequent characters were stripped from filename...
Allow anonymous/public access at page level
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-20737. panel Although a space might be restricted to some groups/users, it is sometimes required to allow public/anonymous acces...
Property for enabling/disabling viewage of Jira administrators
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-22096. panel As of JRA-21004, it also happened that the Administrator page does not show the administrators anymore. This patch is enables...
Secure Administrator Sessions feature can be bypassed
In some circumstances an attacker may be able to craft a request to a Confluence server that bypasses the additional layer of security added by the new Secure Administrator Sessions feature introduced in Confluence 3.3. This would allow an attacker to perform administrative functions on Confluenc...
Enable Web Sudo to work with other single-sign-on solutions
Customers with some of the unsupported single sign-on solutions|http://confluence.atlassian.com/display/DEV/Single+Sign-on+Integration+with+JIRA+and+Confluence can't easily upgrade to Confluence 3.3 because WebSudo doesn't handle external SSO solutions. See this example:...
XSS vulnerability in Contributors macro
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence \contributors macro. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An...
Put a new security log into JIRA so that important events can be specifically logged
The idea is to have a specific atlassian-jira-security.log that contains important events such as user logged in, logged out, session created and so on. This would allow for more specific information about how is logged into JIRA and when. This has been mooted for a while and is now being done in...
XSS vulnerability in some JSPs under admin section
Several JSPs found under the admin section of Confluence have been found to be vulnerable to XSS attacks. This issue corrects those problems. This issue is rated HIGH. Please refer to http://confluence.atlassian.com/x/ZILmD for information on other security related issues and more information on...
Not all error strings are encoded
A XSS vulnerability where a string could bypass the Anti-XSS mechanism has been identified. This issue corrects this problem. The severity of this issue is rated as LOW. Please see http://confluence.atlassian.com/x/ZILmD for information on other security related issues and our rating system...
JIRA is vulnerable to clickjacking attacks
A clickjacking attack on JIRA would most likely take the form of a third-party site, containing an invisible iframe on top of an unrelated page. The iframe would contain a page in JIRA. The victim would believe he was clicking on the other site but would actually be clicking in JIRA and performin...
XSS vulnerability in Colour Scheme settings
An XSS vulnerability has been discovered in the Colour Scheme settings. The severity of this issue is rated as HIGH. Please refer to the security advisory http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-04-x for details...
Group picker popup JSP has XSS hole if group names are XSS shaped
If a group name has a XSS shaped name, then the group picker will allow scripts to be executed...