Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
•added 2011/10/26 1:57 a.m.•23 views

XSS vulnerability in default 'internal server error' page

We have identified and fixed a reflected cross-site scripting XSS vulnerability in the Bamboo default 'internal server error' page. This issue is reported in our security advisory on this page: https://confluence.atlassian.com/x/rQP5FQ You can read more about XSS attacks at:...

5.5AI score
Exploits0
Atlassian
Atlassian
•added 2011/08/09 7:49 a.m.•23 views

Members of confluence-administrators group can browse to restricted pages

Expected behaviour is that a Confluence admin can view a page restricted to others by hitting the URL directly to help resolve any permission issues. In 3.5.x the admins can also browse to these pages via Browse Pages...

3.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/07/22 4:46 a.m.•23 views

Enable X-FRAME-Options header to implement clickjacking protection

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-25143. panel TLDR: Add X-FRAME-Options: SAMEORIGIN to all HTTPS pages server config, and test that nothing breaks. --- Description: Current...

Exploits0
Atlassian
Atlassian
•added 2011/06/10 5:28 p.m.•23 views

Make captcha harder, or allow configuration of captcha difficulty, in order to prevent sophisticated spam attacks

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-22700. panel Every day we get a load of automated anonymous comment spam on our confluence pages. It seems that the captcha is t...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/05/23 1:48 a.m.•23 views

Members of confluence-administrators receive notifications for comments and attachments on restricted pages

Members of the special confluence-administrators group have access to all content on the site, however they should not see restricted content in search results or get notifications about changes on restricted pages. There is a bug in the permission check for notifications about "contained" object...

3.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/04/21 2:58 p.m.•23 views

As a developer or release manager I want to be able to create and manage versions in JIRA without having to be given project admin permissions

Currently JIRA only allows a user to create, release and generally manage versions in a project if the user is a project admin. However there are numerous use cases where developers, release managers, project managers, etc. need to be able to perform this function but don't need full admin rights...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/03/23 5:32 a.m.•23 views

Searching within restricted pages/spaces

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-22074. panel This is the issue reference:...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/01/18 10:47 p.m.•23 views

Deleting a user does not remove the user from its LDAP group

Jira team: I believe this to be a JIRA bug because this scenario does not reproduce in Confluence when it is linked to Crowd. - Add an LDAP directory to Crowd. Make sure to have the "jira-users", "jira-administrators" and "jira-developers" groups exist in LDAP. - Add Crowd Server as a directory t...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/12/30 3:6 a.m.•23 views

Add warning to Shared Dashboards explaining consequence of 'everyone'

In JRA-22207, a warning was added to the "Shared Filters" page explaining what "Everyone" actually means. The "Shared Dashboards" screen also needs this warning. Please also search in the code for anywhere else this permissions-setting control is used...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/12/05 10:25 p.m.•23 views

Basic auth authentication does not allow files to be attached in 4.2

From the customer support case quote When using osauthType=basic to login to JIRA 4.2 a user is able to upload an attachment as a temporary file, but is unable to attach the temporary file to the issue. We noticed the exact same behavior ... had worked with JIRA 4.1.2. quote The Atlassian support...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/12/02 11:0 p.m.•23 views

XSS vulnerability in Bookmarks macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence bookmarks macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...

Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/11/23 3:38 a.m.•23 views

Increase the web session timeout from 60 minutes to 300 minutes

Usability and security testing have shown that XSRF time out is annoying people in the wild. The security guy Vitaly has ok'ed the limit to be increased. This has been done on trunk along with other changes and should be done on 4.3 branch as well...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/11/05 5:10 a.m.•23 views

XSS in filter.subscription.prefix.monthDay parameter of /secure/FilterSubscription.jspa

http://172.16.230.130:8080/secure/FilterSubscription.jspa?filter.subscription.prefix.interval=180&groupName=jira-users&filter.subscription.prefix.runFromMins=00&nextRun=&filter.subscription.prefix.runToMins=00&filter.subscription.prefix.runToMeridian=pm&filter.subscription.prefix.week=2&filter.su...

0.6AI score
Exploits0
Atlassian
Atlassian
•added 2010/10/12 1:7 a.m.•23 views

Patches for XSS / XSRF vulnerabilities

We have identified and fixed vulnerabilities in JIRA 4.2 which will allow an attacker to invoke XSS Cross Site Scripting attacks and/or Cross Site Request Forgery XSRF attacks. Full details of the severity, risks and vulnerabilities can be found in the JIRA Security Advisory...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/10/10 8:4 p.m.•23 views

Google Chrome shows mixed content warning

Hello, when JIRA is requested via https with Google Chrome 6.0.472.63 on all URLs of JIRA https is in red, crossed out and a padlock with red cross is shown with this description: "Your connection is encrypted with 128-bit encryption. However, this page includes other resources which are not...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/09/23 1:6 a.m.•23 views

XSS vulnerability in space key, particularly with decorators off

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-20865. panel As discovered while looking at CONF-20667, Confluence stores the space key unencoded in a content tag. Considerable...

0.3AI score
Exploits0
Atlassian
Atlassian
•added 2010/09/06 4:33 a.m.•23 views

Potential attack vector using attachments

Suspicious handling of attachment uploads with filenames containing quotes the quoted ended up being repeated and semicolons semicolon and all subsequent characters were stripped from filename...

3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/09/03 7:23 a.m.•23 views

XSS vulnerability in Confluence Space Names

We have identified and fixed a cross-site scripting XSS vulnerability in Confluence Space Names. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An attacker's te...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/08/25 1:56 a.m.•23 views

XSS vulnerability in the Office Connector

We have identified and fixed a cross-site scripting XSS vulnerability which may affect Confluence instances in a public environment. The XSS vulnerability is exposed in the document import function of the Confluence Office Connector. An attacker might take advantage of the vulnerability to steal...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/08/25 1:39 a.m.•23 views

Path traversal vulnerability in various Confluence actions

We have identified and fixed a path traversal vulnerability in various Confluence actions. By exploiting a path traversal vulnerability, attackers can retrieve any file on the server that is running Confluence, based on the permissions of the user under which Confluence is running. Path traversal...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/08/23 9:46 a.m.•23 views

Property for enabling/disabling viewage of Jira administrators

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-22096. panel As of JRA-21004, it also happened that the Administrator page does not show the administrators anymore. This patch is enables...

3.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/08/06 1:53 a.m.•23 views

Replace unsafe text gadget and add to JIRA Cloud

panel:title=Atlassian Update - 23 April 2015|borderStyle=solid|borderColor=ebf2f9|titleBGColor=ebf2f9|bgColor=ffffff Hi everyone, There is an add-on from Atlassian Labs that provides a rich text dashboard gadget for JIRA Cloud. You can find it by searching for "rich text gadget" in the Find New...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/08/02 5:14 a.m.•23 views

Secure Administrator Sessions feature can be bypassed

In some circumstances an attacker may be able to craft a request to a Confluence server that bypasses the additional layer of security added by the new Secure Administrator Sessions feature introduced in Confluence 3.3. This would allow an attacker to perform administrative functions on Confluenc...

0.6AI score
Exploits0
Atlassian
Atlassian
•added 2010/07/15 12:33 a.m.•23 views

Enable Web Sudo to work with other single-sign-on solutions

Customers with some of the unsupported single sign-on solutions|http://confluence.atlassian.com/display/DEV/Single+Sign-on+Integration+with+JIRA+and+Confluence can't easily upgrade to Confluence 3.3 because WebSudo doesn't handle external SSO solutions. See this example:...

0.3AI score
Exploits0
Atlassian
Atlassian
•added 2010/06/21 3:46 a.m.•23 views

XSS vulnerability in Contributors macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence \contributors macro. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An...

1.4AI score
Exploits0
Atlassian
Atlassian
•added 2010/05/20 3:2 a.m.•23 views

Password strength measurement and restriction

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-21358. panel Enable password strength rules to tell the user the effective strength of the password they choose optionally allow...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/22 5:52 a.m.•23 views

XSS vulnerability in some JSPs under admin section

Several JSPs found under the admin section of Confluence have been found to be vulnerable to XSS attacks. This issue corrects those problems. This issue is rated HIGH. Please refer to http://confluence.atlassian.com/x/ZILmD for information on other security related issues and more information on...

0.1AI score
Exploits0
Atlassian
Atlassian
•added 2010/04/22 4:38 a.m.•23 views

SOAP and XML-RPC APIs return too much information

The SOAP and XML-RPC APIs return more information than is needed. This issue corrects that problem. This issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for more security related issues and information on how we rate our issues...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/22 4:27 a.m.•23 views

Path for daily backup is configurable through WEB UI

It is possible to set the daily backup path and partial name through the web UI. This could mean that information can be obtained by a rouge admin. This issue addresses that by introducing a flag so concerned administrators can remove this feature. This flag is set to false by default meaning it ...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/22 4:0 a.m.•23 views

The list of Confluence administrators is accessible via a URL

Confluence exposes a list of the administrators. This issue corrects this by removing the list and providing the user with a form that can be used to send e-mail to all the relevant administrators on the user's behalf...

4.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/22 1:24 a.m.•23 views

Remove the download link for XML site backups

Currently Confluence allows easy download of XML site backups. This could be considered a security risk. This issue introduces a flag in the Confluencecfg.xml that allows system administrators to turn this feature on or off. By default it is off meaning that the link will not be displayed. The fl...

6.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/19 2:59 a.m.•23 views

Group picker popup JSP has XSS hole if group names are XSS shaped

If a group name has a XSS shaped name, then the group picker will allow scripts to be executed...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/16 5:9 a.m.•23 views

500page.jsp contains HTTP Header XSS vulnerability

The 500page.jsp contains an XSS vulnerability via the 'Referrer' HTTP header...

1AI score
Exploits0
Atlassian
Atlassian
•added 2010/04/13 3:26 p.m.•23 views

Allow user accounts to require two-factor authentication using RFC 4226

New feature request. In light of the recent security hack at Apache, it might be prudent for JIRA to provide some more secure options for user authentication. One candidate is two-factor authentication using the RFC 4226 OATH/HOTP|http://en.wikipedia.org/wiki/HOTP standard. This requires the user...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/13 5:50 a.m.•23 views

Privilege escalation vulnerability when administrator access is compromised

panel:borderColor=ff0000|borderStyle=solid|bgColor=ffccccNote: This issue is superceded by JRA-21004. Please install the patches on that issue, rather than this one. For more details, see JIRA Security Advisory -...

0.4AI score
Exploits0
Atlassian
Atlassian
•added 2010/04/13 5:44 a.m.•23 views

XSS Vulnerabilities in JIRA

panel:borderColor=ff0000|borderStyle=solid|bgColor=ffccccWarning: This issue is superceded by JRA-21004. Please install the patches on that issue, rather than this one. For more details, see JIRA Security Advisory -...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/08 8:10 p.m.•23 views

Signing in with username with different case creates new user

We currently utilize LDAP for our user repository and allow users to be automatically added to crucible if they can successfully authenticate. We have recently received complaints from users that their names were showing up two times in reviews. After some analysis we saw that there were 2...

7AI score
Exploits0
Atlassian
Atlassian
•added 2010/01/20 6:41 p.m.•23 views

autocomplete box in page restrictions finds deleted users, wrong usernames

We recently migrated our user management from JIRA to Crowd, our Confluence instance used to link to JIRA for authentication, and now links to Crowd. We now found that, when editing the restrictions on individual pages, the autocomplete feature in that dialog acts strange: Users that have been...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/10/12 9:20 p.m.•23 views

Workflow permission to limit ability to link issues

We need to be able to limit the ability to link issues by the issue status. If we have two issues, and they are both closed, I do not want to be able to link them. If one or both are opened or in progress, I'd like to be able to create the link from the open issue. We are trying to use Jira for...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/08/10 3:15 a.m.•23 views

Update of jcaptcha

Update version of jcaptcha that we use...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/07/31 6:6 a.m.•23 views

JQL not respecting Issue Security Level "Project Lead"

While writing TestIssueSecurityLevel I found the following problem: fred is not a Project Lead HSP-3 has Issue Security Level of "Project Lead" only. empty JQL to show all visible issues doesn't show HSP-3. make fred the Project Lead same query: still no HSP-3 however: fred can browse to HSP-3 an...

1.4AI score
Exploits0
Atlassian
Atlassian
•added 2009/06/18 6:38 a.m.•23 views

XSS vulnerability in space name when page move would create a duplicate

Create a space called alert"XSS"; Find a page named 'Home' in a different space Move this page, choosing the previously created space as the destination The move will fail due to the duplicate page name, and the script will be run...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/05/07 2:13 a.m.•23 views

The i18n in velocity templates does not auto html encode parameters

All the getText methods on com.atlassian.confluence.util.i18n.DefaultI18NBean are anontated as HtmlSafe which means that any parameter which gets passed in as an argument will not be auto html encoded by the Anti-XSS module. The most straight forward way to fix this is to wrap the parameter insid...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/05/07 2:13 a.m.•23 views

The i18n in velocity templates does not auto html encode parameters

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-15548. panel All the getText methods on com.atlassian.confluence.util.i18n.DefaultI18NBean are anontated as HtmlSafe which mean...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/04/24 5:21 p.m.•23 views

Shared Filter properties exposed without authentication

Some URLs are not protected by authentication which could expose some properties in JIRA that users may not wish to reveal. Example 1: Searching filters http://support.atlassian.com/secure/ManageFilters.jspa?filterView=search Example 2: Viewing properties of filters. I can see custom fields, sear...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/04/10 4:45 a.m.•23 views

Partial space admin permission/authority

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-15172. panel I followed these guidelines, but this is not fine grained enough...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/03/12 4:24 p.m.•23 views

Vulnerable and pointless password storage on client computers

Given the following: -http://confluence.atlassian.com/display/DOC/Confluence+Cookies, which says "a one-way hash of the user's password" is stored in a browser cookie on the user's computer. -CSP-29692 case I opened with Atlassian support, which explained that EncryptionUtils.java is used to...

7.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/01/28 9:58 p.m.•23 views

Ability to grant Import/Export privileges to a group or a user

In our JIRA environment, we have several projects where each of the project admins uploads tasks from a CSV file into their respective project. Inorder for these project admins have the upload permissions, they need to be part of the JIRA System Administration group. This is unacceptable and is a...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/01/05 1:54 p.m.•23 views

Assignment of JSESSIONIDs

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-14112. panel I believe it should be a feature in future versions of Confluence to assign a different JSESSIONID to the user's...

2.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2008/11/28 5:50 a.m.•23 views

Confluence displays ALL attachments when the following URL is viewed

i removed the space key from the URL for the normal space attachment viewing, and it displays all the attachments for all spaces in the install of Confluence, Irrispecitve of space and page level permission restrictions. For Example:...

0.8AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295