4295 matches found
SQL injection in DefaultReferralManager
In confluence-core/confluence/src/java/com/atlassian/confluence/links/DefaultReferralManager.java the DefaultReferralManager class the deleteReferrersWithPrefix method is vulnerable to sql injection through the user controlled 'prefix' parameter. It is possible to exploit this issue as an Admin...
Accidental XSRF and DoS consumption-of-space issue
We experienced an unusual growth of our nonspaced attachments that appears to be a DoS vunerability both in an accidental way with a workaround and intentional not easily worked around. This is under Confluence 4.0, but appears to probably apply to 4.3.1 as well. It appears the growing nonspaced...
Group Picker Should Not Listed All Groups
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-26600. panel Confluence will display all groups registered on it when users access any group picker and put value as its search...
Group Picker Should Not Listed All Groups
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-26600. panel Confluence will display all groups registered on it when users access any group picker and put value as its search...
XSS vulnerability in chart saving
Create a new dashboard with the name alert"XSS" 2. Go to the issue navigator and perform a search 3. Choose Views - charts - Save to dashboard This is because portal.name is unescaped in savetodashboard.vm. Tested in OnDemand and BTF...
The JIRA/Crowd applications fail to properly sanitize user input in the query string of the website or in the value of a parameter
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-29640. panel We need to avoid Cross-site Scripting vulnerabilities. A function should be created to provide server side and client side input...
As a JIRA System Administrator, I can instruct web browsers to not allow saving a user's password in the various login options, so that unauthorized users can not access the system.
In some organisations, as part of a set of security requirements, it is required for compliant applications, to disallow users to store there application password in their browser. It would be perfect, if JIRA and all other Atlassian applications would allow to configure the autocomplete="off"...
multimedia macro allows execution of arbitrary scripts
The multimedia macro in confluence embeds a swf without the 'allowScriptAccess' attribute set to 'none'. This allows the embedded user submitted swf to execute arbitrary javascript on the page, constituting an XSS vulnerability. The multimedia tag is bundled in with the base product and not an...
Javascript escape the value of "dark features" within the javascript context they are rendered out in
Current user specific dark feature values are not javascript escaped in the javascript context they exist in. e.g. the value "' + evalalert1 ' +" without the double quotes appears like the following in the feature javascript context: / Dark features are features that can enabled and disabled per...
AddConsumerReciprocalServlet Open Redirect
The AddConsumerReciprocalServlet servlet has an open redirect vulnerability in the doGet method that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated...
open redirect in flushcache.action
A skipfish scan of confluence found that flushcache.action is vulnerable to 'open redirect' as the returlUrl seems to send up in the Location HTTP header on a 302 redirect response. Note the token parameter in the here is an example attack using the flaw...
Enable X-FRAME-Options header to implement clickjacking protection
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-25143. panel TLDR: Add X-FRAME-Options: SAMEORIGIN to all HTTPS pages server config, and test that nothing breaks. --- Description: Current...
Members of confluence-administrators receive notifications for comments and attachments on restricted pages
Members of the special confluence-administrators group have access to all content on the site, however they should not see restricted content in search results or get notifications about changes on restricted pages. There is a bug in the permission check for notifications about "contained" object...
As a developer or release manager I want to be able to create and manage versions in JIRA without having to be given project admin permissions
Currently JIRA only allows a user to create, release and generally manage versions in a project if the user is a project admin. However there are numerous use cases where developers, release managers, project managers, etc. need to be able to perform this function but don't need full admin rights...
Deleting a user does not remove the user from its LDAP group
Jira team: I believe this to be a JIRA bug because this scenario does not reproduce in Confluence when it is linked to Crowd. - Add an LDAP directory to Crowd. Make sure to have the "jira-users", "jira-administrators" and "jira-developers" groups exist in LDAP. - Add Crowd Server as a directory t...
XSS vulnerability in Bookmarks macro
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence bookmarks macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...
XSS in filter.subscription.prefix.monthDay parameter of /secure/FilterSubscription.jspa
http://172.16.230.130:8080/secure/FilterSubscription.jspa?filter.subscription.prefix.interval=180&groupName=jira-users&filter.subscription.prefix.runFromMins=00&nextRun=&filter.subscription.prefix.runToMins=00&filter.subscription.prefix.runToMeridian=pm&filter.subscription.prefix.week=2&filter.su...
XSS vulnerability in space key, particularly with decorators off
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-20865. panel As discovered while looking at CONF-20667, Confluence stores the space key unencoded in a content tag. Considerable...
Potential attack vector using attachments
Suspicious handling of attachment uploads with filenames containing quotes the quoted ended up being repeated and semicolons semicolon and all subsequent characters were stripped from filename...
Allow anonymous/public access at page level
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-20737. panel Although a space might be restricted to some groups/users, it is sometimes required to allow public/anonymous acces...
Property for enabling/disabling viewage of Jira administrators
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-22096. panel As of JRA-21004, it also happened that the Administrator page does not show the administrators anymore. This patch is enables...
Secure Administrator Sessions feature can be bypassed
In some circumstances an attacker may be able to craft a request to a Confluence server that bypasses the additional layer of security added by the new Secure Administrator Sessions feature introduced in Confluence 3.3. This would allow an attacker to perform administrative functions on Confluenc...
Enable Web Sudo to work with other single-sign-on solutions
Customers with some of the unsupported single sign-on solutions|http://confluence.atlassian.com/display/DEV/Single+Sign-on+Integration+with+JIRA+and+Confluence can't easily upgrade to Confluence 3.3 because WebSudo doesn't handle external SSO solutions. See this example:...
XSS vulnerability in Contributors macro
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence \contributors macro. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An...
Put a new security log into JIRA so that important events can be specifically logged
The idea is to have a specific atlassian-jira-security.log that contains important events such as user logged in, logged out, session created and so on. This would allow for more specific information about how is logged into JIRA and when. This has been mooted for a while and is now being done in...
XSS vulnerability in some JSPs under admin section
Several JSPs found under the admin section of Confluence have been found to be vulnerable to XSS attacks. This issue corrects those problems. This issue is rated HIGH. Please refer to http://confluence.atlassian.com/x/ZILmD for information on other security related issues and more information on...
Remove the download link for XML site backups
Currently Confluence allows easy download of XML site backups. This could be considered a security risk. This issue introduces a flag in the Confluencecfg.xml that allows system administrators to turn this feature on or off. By default it is off meaning that the link will not be displayed. The fl...
XSS vulnerability in Colour Scheme settings
An XSS vulnerability has been discovered in the Colour Scheme settings. The severity of this issue is rated as HIGH. Please refer to the security advisory http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-04-x for details...
Group picker popup JSP has XSS hole if group names are XSS shaped
If a group name has a XSS shaped name, then the group picker will allow scripts to be executed...
500page.jsp contains HTTP Header XSS vulnerability
The 500page.jsp contains an XSS vulnerability via the 'Referrer' HTTP header...
Allow user accounts to require two-factor authentication using RFC 4226
New feature request. In light of the recent security hack at Apache, it might be prudent for JIRA to provide some more secure options for user authentication. One candidate is two-factor authentication using the RFC 4226 OATH/HOTP|http://en.wikipedia.org/wiki/HOTP standard. This requires the user...
Privilege escalation vulnerability when administrator access is compromised
panel:borderColor=ff0000|borderStyle=solid|bgColor=ffccccNote: This issue is superceded by JRA-21004. Please install the patches on that issue, rather than this one. For more details, see JIRA Security Advisory -...
Signing in with username with different case creates new user
We currently utilize LDAP for our user repository and allow users to be automatically added to crucible if they can successfully authenticate. We have recently received complaints from users that their names were showing up two times in reviews. After some analysis we saw that there were 2...
autocomplete box in page restrictions finds deleted users, wrong usernames
We recently migrated our user management from JIRA to Crowd, our Confluence instance used to link to JIRA for authentication, and now links to Crowd. We now found that, when editing the restrictions on individual pages, the autocomplete feature in that dialog acts strange: Users that have been...
Workflow permission to limit ability to link issues
We need to be able to limit the ability to link issues by the issue status. If we have two issues, and they are both closed, I do not want to be able to link them. If one or both are opened or in progress, I'd like to be able to create the link from the open issue. We are trying to use Jira for...
Update of jcaptcha
Update version of jcaptcha that we use...
JQL not respecting Issue Security Level "Project Lead"
While writing TestIssueSecurityLevel I found the following problem: fred is not a Project Lead HSP-3 has Issue Security Level of "Project Lead" only. empty JQL to show all visible issues doesn't show HSP-3. make fred the Project Lead same query: still no HSP-3 however: fred can browse to HSP-3 an...
Directory traversal in Profile Picture path - leads to privilege escalation in < 3.0
Confluence allows its users to specify a "Profile Picture," an image that appears on many pages related to the user. A user can either upload a custom image, or select one from a set provided by Confluence. Confluence uses the /users/doeditmyprofilepicture.action path to process requests to chang...
XSS vulnerability in space name when page move would create a duplicate
Create a space called alert"XSS"; Find a page named 'Home' in a different space Move this page, choosing the previously created space as the destination The move will fail due to the duplicate page name, and the script will be run...
The i18n in velocity templates does not auto html encode parameters
All the getText methods on com.atlassian.confluence.util.i18n.DefaultI18NBean are anontated as HtmlSafe which means that any parameter which gets passed in as an argument will not be auto html encoded by the Anti-XSS module. The most straight forward way to fix this is to wrap the parameter insid...
The i18n in velocity templates does not auto html encode parameters
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-15548. panel All the getText methods on com.atlassian.confluence.util.i18n.DefaultI18NBean are anontated as HtmlSafe which mean...
Shared Filter properties exposed without authentication
Some URLs are not protected by authentication which could expose some properties in JIRA that users may not wish to reveal. Example 1: Searching filters http://support.atlassian.com/secure/ManageFilters.jspa?filterView=search Example 2: Viewing properties of filters. I can see custom fields, sear...
Issue attachments, need a functionality of Security Schemes
In our JIRA instance both customers and developers have access to issues. We would like to have a security scheme functionality in connection to issue's attachments. In other words, we would like to attach a documentation which would not be visible to customers or other groups of JIRA users...
Vulnerable and pointless password storage on client computers
Given the following: -http://confluence.atlassian.com/display/DOC/Confluence+Cookies, which says "a one-way hash of the user's password" is stored in a browser cookie on the user's computer. -CSP-29692 case I opened with Atlassian support, which explained that EncryptionUtils.java is used to...
Issue security based on workflow status
I would be great if permission types could be associated with workflow status. What we would like to do is limit the ability to edit an issue by the reporter to a specific workflow status. Using the issue security scheme is not possible since the reporter should always be allowed to view the issu...
Ability to grant Import/Export privileges to a group or a user
In our JIRA environment, we have several projects where each of the project admins uploads tasks from a CSV file into their respective project. Inorder for these project admins have the upload permissions, they need to be part of the JIRA System Administration group. This is unacceptable and is a...
Assignment of JSESSIONIDs
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-14112. panel I believe it should be a feature in future versions of Confluence to assign a different JSESSIONID to the user's...
Confluence displays ALL attachments when the following URL is viewed
i removed the space key from the URL for the normal space attachment viewing, and it displays all the attachments for all spaces in the install of Confluence, Irrispecitve of space and page level permission restrictions. For Example:...
It's possible to execute a workflow action without being logged in.
To reproduce, open Jira in two browser windows. In the first, navigate to an issue with an available workflow action. In the second, log out. In the first, perform one of the workflow actions. You'll see a page asking you to log back in, but the action has still been performed. To see this, in th...
Stored XSS in wiki macro search
Creating a page/comment etc with the following wiki-markup macro will render javascript on the page for anybody visiting this page search:query=alertdocument.cookie IMPORTANT: please confirm receipt of this notification! Depending on the response, we may report the vulnerability to publicly...