Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2017/05/24 3:23 p.m.22 views

Other SD Projects Knowledge Base are accessible through direct link

h3. Summary: If a Customer only able to access one SD Portal and log in to Confluence, it is actually possible for that Customer to access other SD Project KBs through a Direct URL Link including navigating the space. h3. Steps to Reproduce: Prepare a JIRA instance that is connected to Confluence...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/03/30 3:39 p.m.22 views

Information Exposure in JUnit Report Macro

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-52112. panel The JUnit Report Macro throws different error messages for the url parameter code:java file:///no/file/herecode...

2.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/02/21 1:8 a.m.22 views

Administrators should have the ability to restrict access to the System dashboard

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-64165. panel Administrators should have the ability to restrict access to the System dashboard which by default is available to the public...

3.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/01/19 9:29 a.m.22 views

XSS attack possible on FishEye file history page

The File History page was vulnerable to XSS...

1.3AI score
Exploits0
Atlassian
Atlassian
added 2016/11/28 4:10 a.m.22 views

Update atlassian-gadgets in Confluence to fix AG-1502/ACG-5

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-45392. panel For Confluence Server as https://ecosystem.atlassian.net/browse/AG-1502 has been fixed, upgrade atlassian-gadgets t...

1.6AI score
Exploits0
Atlassian
Atlassian
added 2016/08/10 5:55 p.m.22 views

Secure SSL flag does not work when using Delegated LDAP

h3. Summary The Secure SSL flag under the Advanced Settings section in the LDAP settings does not work when using Delegated LDAP/Internal with LDAP Authentication in JIRA. h3. Steps to Reproduce Add a Delegated LDAP AD in JIRA Checking the Secure SSL checkbox and hit the Save and Test button if w...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/08/09 5:48 p.m.23 views

Issue Security Scheme Changes Are Not Reported In Audit Log

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-62187. panel h3. Summary When a change is made to an issue security scheme, nothing is logged in the Audit Log. This means that an...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/19 7:11 p.m.22 views

XSS in Mail Whitelist Field

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-61963. panel Jira Admins can create a persistant XSS on the Incoming Mail configuration page. When the value code "alert1 code is inserted in...

2.1AI score
Exploits0
Atlassian
Atlassian
added 2016/07/07 9:52 p.m.22 views

XSS in newFileName Field

From an external report: quote Confluence recently has been tested and, as a result, we were able to verify the existence of at least one persistent XSS vulnerability. This vulnerability is present in the Edit Attachment feature — specifically in the newFileName field — accessible through the...

6.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/05/24 2:36 p.m.22 views

The "Restrict to articles with labels" option doesn't restrict the customer portal from suggesting KB's other than those with the nominated Label

h3. Summary Currently we have the "Restrict to articles with labels", where you can specify the label for a request. When a customer is filling the summary for a request, SD will search the knowledge base for similar content from confluence pages with that label. However, the customer portal sear...

Exploits0
Atlassian
Atlassian
added 2016/04/21 1:10 p.m.22 views

Permission issues with projects and reviews

There are 2 issues related to permission schema. They were grouped together into a single issue, marked with a security label. h4. Issue 1 User visited in the past Project A. Also he has visited a review raised in Project A. FeCru allows him to access those recent items using the menu on top...

0.6AI score
Exploits0
Atlassian
Atlassian
added 2016/03/21 9:23 p.m.22 views

Security Issue with multimedia playback on Mac OSX

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-41124. panel Currently your multimedia playback method uses an older and insecure method. I had to reinstate old plugins to mak...

Exploits0Affected Software1
Atlassian
Atlassian
added 2016/02/09 10:49 a.m.22 views

XSS vulnerability found in profile settings

There was a XSS vulnerability found in profile settings pages...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/01/07 11:35 a.m.22 views

Groups to Synchronise membership filter in Crowd/JIRA authentication not effective in some circumstances

Users existing in remote Crowd/JIRA authentication source may get access to FishEye/Crucible instance even if they are not members of specified "Groups to Synchronise"...

3.2AI score
Exploits0
Atlassian
Atlassian
added 2016/01/07 11:34 a.m.22 views

Groups to Synchronise membership filter in Crowd/JIRA authentication not effective in some circumstances

Users existing in remote Crowd/JIRA authentication source may get access to FishEye/Crucible instance even if they are not members of specified "Groups to Synchronise"...

3.2AI score
Exploits0
Atlassian
Atlassian
added 2016/01/07 11:25 a.m.22 views

One FishEye admin can get access to repository password provided by another admin

It was possible to retrieve the repository passwords provided by another administrator via web browser session. It was fixed now, so password can still be changed or unset if necessary, but it is not possible to read its contents...

3.5AI score
Exploits0
Atlassian
Atlassian
added 2016/01/06 1:16 a.m.22 views

Enable X-FRAME-Option in HTTP response headers in order to provide clickjacking protection

Crowd is vulnerable to Clickjacking|https://en.wikipedia.org/wiki/Clickjacking. That is, it is possible to frame crowd from a page hosted in a different domain and trick the user into performing an action they did not intend to perform, for example changing their display name. This issue can be...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/01/06 1:16 a.m.22 views

Enable X-FRAME-Option in HTTP response headers in order to provide clickjacking protection

Crowd is vulnerable to Clickjacking|https://en.wikipedia.org/wiki/Clickjacking. That is, it is possible to frame crowd from a page hosted in a different domain and trick the user into performing an action they did not intend to perform, for example changing their display name. This issue can be...

0.2AI score
Exploits0
Atlassian
Atlassian
added 2015/12/22 10:57 a.m.22 views

Backup action is XSRF vulnerable

XSRF vulnerability was identified and fixed, so it was possible to trigger backup action taking application into maintenance mode. This could lead to overwriting an existing backup file...

2.9AI score
Exploits0
Atlassian
Atlassian
added 2015/12/22 10:55 a.m.22 views

Backup action is XSRF vulnerable

XSRF vulnerability was identified and fixed, so it was possible to trigger backup action taking application into maintenance mode. This could lead to overwriting an existing backup file...

2.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/10/12 8:53 a.m.22 views

XSS in review file paths

We have identified a XSS vulnerability introduced in Crucible 3.9.0. Fix was included in 3.9.1 version released publicly on September 10th, 2015...

3.1AI score
Exploits0
Atlassian
Atlassian
added 2015/10/01 8:59 a.m.22 views

Prevent Activity feed information leakage by allowing permanently disabling of it

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-45601. panel It seems that the sensitive information leakage is something almost impossible to avoid when you have a pair of JIRA instances,...

2.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/09/15 1:28 a.m.22 views

SEN available in HTTP Response headers

Cloned from JRA-45188 h3. Summary Seems we're giving away our Support Entitlement Numbers SEN in our HTTP response headers. Risk here is that users who obtain these can then get free support in SAC. h3. Environment JIRA and Confluence Server JIRA and Confluence Cloud Potentially other apps h3...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/07/13 8:17 a.m.22 views

Disabled Users Receive Notification from Team Calendar

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-48834. panel h3. Summary Confluence disabled users that subscribed to a calendar still receive notifications when calendar have...

7.8AI score
Exploits0
Atlassian
Atlassian
added 2015/07/01 9:14 p.m.22 views

As a Confluence Administrator, I would like to configure the 'Attachment Download Security Policy' on a per space basis

h3. Problem Definition As a Confluence Administrator, I would like to configure the 'Attachment Download Security Policy' on a per space basis. At the moment, the setting is applied at a global basis, which does not work if you want attachments to be downloaded/displayed inline depending on the...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/06/03 7:44 p.m.22 views

Users with only View Space permission are able to edit Space Questions

h2. Problem Summary Users are able to edit any Space Questions as long as they have View permissions for that space. This includes questions asked by other users. Users do not need to have Space Admin or even Add/Edit Page permissions to the space, only View is required. This is inconsistent when...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/06/01 6:42 p.m.22 views

Advanced JQL Search does not Respect User email visibility Hidden

h4. Problem The advanced JQL autocomplete functionality is still showing email addresses, ignoring the User email visibility option. Basic mode does not show emails See screenshots h4. Steps to Reproduce Set User email visibility to Hidden JIRA Administration System General Configuration Edit Use...

Exploits0Affected Software1
Atlassian
Atlassian
added 2015/06/01 6:42 p.m.22 views

Advanced JQL Search does not Respect User email visibility Hidden

h4. Problem The advanced JQL autocomplete functionality is still showing email addresses, ignoring the User email visibility option. Basic mode does not show emails See screenshots h4. Steps to Reproduce Set User email visibility to Hidden JIRA Administration System General Configuration Edit Use...

Exploits0
Atlassian
Atlassian
added 2015/02/27 1:46 p.m.22 views

Restrictions not applied for inline comments in attachments

When there is a comment for a file which is attached to a restricted page, all users can see the comment, even the ones who are not allowed to see the page and its attachments. h3. Workaround for 5.7 There is no workaround for customers running Confluence 5.7. Customers are advised to upgrade to...

4.2AI score
Exploits0
Atlassian
Atlassian
added 2015/02/26 1:52 p.m.22 views

Member of confluence-administrators group able to see restricted page in pagetree, quick search and navigation panel

Bug Background Confluence super-users or member of confluence-administrators group should be able to access any content in Confluence including restricted content as long as it have the direct URL to access as describe in our documentation...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/02/07 12:44 a.m.22 views

Application Navigator shows full list of links, including restricted ones

If a user has access to JIRA, but not Confluence, and try to go to a Confluence page, the access error page itself will have the hamburger menu with a full, unrestricted list of all links set up. We have a couple links pointing to code repositories and an older, archived issue tracker. The former...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/01/09 12:12 a.m.22 views

OGNL Double Evaluation Vulnerability

We have discovered and fixed a vulnerability in our fork of WebWork. Attackers can use this vulnerability to execute Java code of their choice on systems that use this framework. The attacker needs to have an account and be able to access the Confluence web interface. All versions of Confluence u...

2.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/01/08 11:51 a.m.22 views

Administrator role has access to restricted pages

Setting up e.g. a personal space and giving only the owner full access, anonymous access denied, some people administrators? still have access can view, change permission and add comments. This is regardless of space or site restriction. We are using the build-in security systems shared with JIRA...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/01/08 11:51 a.m.23 views

Administrator role has access to restricted pages

Setting up e.g. a personal space and giving only the owner full access, anonymous access denied, some people administrators? still have access can view, change permission and add comments. This is regardless of space or site restriction. We are using the build-in security systems shared with JIRA...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/12/19 2:48 p.m.22 views

Information disclosure - full path disclosure

Jira displays charts on the dashboard by writting a temporary file in Jira "tmp" folder and reading it through a page called "charts" When the filename provided to this page is not present, an error message displays the full path to the "tmp" folder, which lies in Jira directory. This is a...

0.4AI score
Exploits0
Atlassian
Atlassian
added 2014/10/10 12:43 p.m.22 views

Stash email settings fields can be inadvertently be populated by browser with user login details - security issue

The email and username password in the email server settings screen has the same names as the username and password fields when logging in. This has the unintentional side affect of being pre-populated by your browser if you have left the mail server credentials blank and your browser has saved...

1.5AI score
Exploits0
Atlassian
Atlassian
added 2014/10/10 12:43 p.m.22 views

Stash email settings fields can be inadvertently be populated by browser with user login details - security issue

The email and username password in the email server settings screen has the same names as the username and password fields when logging in. This has the unintentional side affect of being pre-populated by your browser if you have left the mail server credentials blank and your browser has saved...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/10/04 11:52 a.m.22 views

Project administrator is able to migrate Permission Scheme

panel:title=Atlassian status update as of 12th July 2018 Hello Customers, We’ve addressed this bug and the fix is available on all version of Jira Service Desk 3.9 and above. For more information please refer to the documentation here...

6.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/10/03 11:31 a.m.22 views

Bitbucket repository configuration doesn't offer SSH

When you add a new Bitbucket repository, you can only enter a username/password for authentication. If you want to use SSH, you should fallback to the generic 'Git' repository host. SSH should be offered as an option in the Bitbucket configuration. As an intermediate solution you can add a...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/10/01 2:52 p.m.22 views

Confluence Security Settings not respected by Confluence Questions

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47587. panel Hi Atlassian team, in our Confluence configuration we set "User email visibility" to "only visible to site...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2014/09/11 5:28 p.m.22 views

Add global option "Enable group <anyone>"

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-39912. panel As mentioned in JRA-18076 and JRA-23255, the predefined group anyone poses security risks in many cases as it exposes projects t...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/09/10 9:23 a.m.22 views

Disabled users still recieve 'Share Page' emails sent to groups

Steps to Reproduce in Confluence: Create a user, and set to 'Disabled' Create a Group and make this user a member of this group Share a page with the group This results in an email being sent to the inactive user Steps to Reproduce with a Crowd server handling user management: Same as above, but...

1.2AI score
Exploits0
Atlassian
Atlassian
added 2014/09/04 1:4 a.m.22 views

Draft retrieval in the editor doesn't respect page or space permissions

Drafts are supposed to be per user and private but given a draft id, which should be easy to guess as they are sequential, you can access the contents of any draft, both for new and existing pages by using the following urls:...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/08/15 12:38 p.m.22 views

Child pages permissions are not respected in Popular Tab

mfernandezbadii posted this on CONF-33207: quote I found that restricted child pages not the whole space, will still show on the Popular Tab. Example: User can browse a Space. Restricted page is created and user can't browse it or see it in the Popular Tab. Child page is created: User can't brows...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/07/14 9:21 a.m.22 views

Information disclosure in the REST API

Jira reports the 404 not-found earlier than the 401 not-authorized. This discloses the non-existence of a specific issue numbers to unauthorized users. While this isn't a huge leak, this could come in useful with social engineering. Proof of concept: Both of the calls below are unauthenticated, a...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/07/14 3:28 a.m.22 views

Reflected XSS affecting Confluence via Gadgets

Steps to recreate: 1. To view the reflected XSS affecting JIRA, present on the current JIRA installation jira.atlassian.com visit the following link: noformat...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/07/01 3:29 p.m.22 views

Subpages don't inherit permissions from parent pages (see comments for solution)

We are currently experiencing a serious issue with page restrictions. We have pages with restrictions, that have sub pages, which were created by users, that were deleted from the user directory in the meantime. These root-pages have read restrictions, set for a particular group. However, these s...

1.2AI score
Exploits0
Atlassian
Atlassian
added 2014/06/24 6:34 a.m.22 views

Reflected XSS affecting JIRA via Gadgets

Steps to recreate: 1. To view the reflected XSS affecting JIRA, present on the current JIRA installation jira.atlassian.com visit the following link: noformat...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/06/18 2:46 p.m.22 views

Removing user from LDAP doesn't clear LDAP group membership

Reproduction steps: 1. Setup generic LDAP user repository RW, with jira-users, jira-developers, jira-administrators groups. 2. Create user for John Smith as [email protected]. 3. Add him to jira-administrators group. 4. Remove user [email protected] John changed the company. 5. Create user for Jake Sunny as...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2014/06/04 3:37 p.m.22 views

Crowd User Directory application password stored in plain text

Table: cwddirectoryattribute Column: attributevalue How to Verify in my environment: Connect to JIRA database using psql and run query: code select attributevalue from cwddirectoryattribute where attributename = 'application.password' code Note how the returned value is the plain text value of th...

1.8AI score
Exploits0
Total number of security vulnerabilities4295