Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2009/06/18 6:38 a.m.22 views

XSS vulnerability in space name when page move would create a duplicate

Create a space called alert"XSS"; Find a page named 'Home' in a different space Move this page, choosing the previously created space as the destination The move will fail due to the duplicate page name, and the script will be run...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/05/29 4:14 a.m.22 views

XSS in user links

A user with username "alert"foo" that is linked to via \username markup results in script being executed. Curiously, viewing the space homepage of that user results in a blank page. This of course is prevented for public signup, but if the user gets created via other means, i.e. external user...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/05/26 1:29 a.m.22 views

XSS in concurrent edit notification

If a page is being editted by noformat alert'hacked' noformat and another user edits it at the same time, they are vulnerable to a potential XSS attack...

2.1AI score
Exploits0
Atlassian
Atlassian
added 2009/04/21 1:39 p.m.22 views

Issue attachments, need a functionality of Security Schemes

In our JIRA instance both customers and developers have access to issues. We would like to have a security scheme functionality in connection to issue's attachments. In other words, we would like to attach a documentation which would not be visible to customers or other groups of JIRA users...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/04/21 1:28 a.m.22 views

Import Pages is not restricted to system admins

The Import pages actions is currently restricted to space admins not system admins like it should. Caused by CONF-10039...

2.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/04/10 4:45 a.m.22 views

Partial space admin permission/authority

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-15172. panel I followed these guidelines, but this is not fine grained enough...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/03/19 4:38 p.m.22 views

Bright Cove User Macro-Cross-site script

Our e-security found the following error after they scanned the Bright Cove User Macro: Number System/Location Defect Type Status R4 Bright Cove User Macro Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies,...

7.2AI score
Exploits0
Atlassian
Atlassian
added 2009/03/19 4:23 p.m.22 views

Reporting Plugin- Cross-site scripting error

Our e-security found the following error for the Reporting plugin: Number System/Location Defect Type Status R2 Reporting Plugin Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies, which may be used to...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/03/19 4:23 p.m.22 views

Reporting Plugin- Cross-site scripting error

Our e-security found the following error for the Reporting plugin: Number System/Location Defect Type Status R2 Reporting Plugin Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies, which may be used to...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/02/12 1:0 a.m.22 views

Password is being logged for 500 errors

The user passwords are being exposed in the log files when a 500 error happens. The following Jira solved the problem for the information displayed in the user Browser: http://jira.atlassian.com/browse/CONF-12360...

0.7AI score
Exploits0
Atlassian
Atlassian
added 2009/01/05 1:54 p.m.22 views

Assignment of JSESSIONIDs

I believe it should be a feature in future versions of Confluence to assign a different JSESSIONID to the user's session once they have authenticated and logged in to the site. This is to differentiate between a user's session before they have logged in and after they have authenticated and have ...

2.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/01/05 1:54 p.m.22 views

Assignment of JSESSIONIDs

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-14112. panel I believe it should be a feature in future versions of Confluence to assign a different JSESSIONID to the user's...

2.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/11/28 5:50 a.m.22 views

Confluence displays ALL attachments when the following URL is viewed

i removed the space key from the URL for the normal space attachment viewing, and it displays all the attachments for all spaces in the install of Confluence, Irrispecitve of space and page level permission restrictions. For Example:...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/10/27 5:18 a.m.22 views

Confluence administrators (who are not necessarily sys admins) can configure whitelist

A user who has the "Confluence Administrator" permission, but not necessarily the "System Administrator" permission, can configure the new URL whitelist for the HTML-include and RSS macros. Is this good enough, from a security point of view?...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/09/15 4:42 p.m.22 views

XSS in pagetree plugin

The pagetree plugin is vulnerable for XSS injecting the code in the treeId field. Example below:...

6.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/09/15 4:5 p.m.22 views

Stored XSS in wiki macro search

Creating a page/comment etc with the following wiki-markup macro will render javascript on the page for anybody visiting this page search:query=alertdocument.cookie IMPORTANT: please confirm receipt of this notification! Depending on the response, we may report the vulnerability to publicly...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/06/04 1:58 a.m.22 views

SSO credentials not used in IssueViewURLHandler

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-15048. panel A customer has created a SSO plugin and are facing some specific issues in this context. When they click on the printable link o...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/04/08 9:34 a.m.22 views

It's possible to browse project names when using Issue Security Scheme.

A customer user is set up and only allowed to see "External" issues. - The user is added as project role "Customers" in project "X". - The project got Issue Security Scheme "Customers". Internal / External When logging in as the customer user, you can only see the External issues within this...

2.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/18 4:38 a.m.22 views

XSS vulnerability in social bookmarking plugin bundled in Confluence

The social bookmarking plugin is bundled in Confluence 2.7.x and Confluence 2.6.x. As such this vulnerability affects all 2.7.x and 2.6.x instances even if you do not use the plugin or do not have the Add Bookmark Web Item enabled. The updatebookmark.action URL is vulnerable on these parameters: ...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2008/03/17 5:0 a.m.22 views

XSS vulnerability in pagepicker.action and spacepagepicker.action

The following URL's are vulnerable: - /users/pagepicker.action - /users/spacepagepicker.action on formname, fieldname and currentspace panel:bgColor=99ff99 h4. Patch instructions for 2.6.x and 2.7.x 1. Shut down Confluence 2. Copy attached pagepicker.vm to confluence/users/ 3. Start up Confluence...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/13 12:20 a.m.22 views

Fix the seraph.os.cookie from failing on Tomcat by upgrading atlassian-seraph

Once SER-117 has been fixed, incorporate the changes into JIRA see the linked issue for a full description of the problem. Note that this only affects Tomcat users; Resin and Orion do not appear to be affected. User Symptoms: Users have checked the "Remember my login on this computer" checkbox al...

3.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/12 12:36 a.m.22 views

XSS vulnerabilities in create space action

The following URL's are vulnerable: - spaces/createspace-start.action - spaces/createspace.action on key and name parameters...

3.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/10 4:58 a.m.22 views

XSS vulnerability in signup actions

Vulnerable URL's: - signup.action - dosignup.action on username, email, password, confirm, fullname...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/10 4:44 a.m.22 views

viewuser.action has an XSS problem around username

Steps to reproduce: create a user with username: foo"alert'hello';span class="ff you should get an alert when you are redirected to viewuser.action to view the user you just created...

1.7AI score
Exploits0
Atlassian
Atlassian
added 2007/11/02 3:23 a.m.22 views

You are able to delete a Custom Field that is referenced in Permission settings.

If you add a User Custom Field as a permission in a permission scheme or issue level security scheme, you are then able to delete the Custom Field without validation or warnings. After deleting the field, you are still able to see the Custom Field ID in the permission scheme, although it can...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/10/25 9:58 a.m.22 views

"Forgot password" function allows easy misuse

The "Forgot password" function invents a new password and sends it by email. This invites to misuse as guessing the userid already allows to annoy or even lock-out the legitimate account owner. The user may currently not have access to his email account or the mail could be killed by a spam filte...

2.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/10/17 12:34 a.m.22 views

Move velocity templates and other web resources into WEB-INF in the Confluence webapp

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-9730. panel It presents a small information leak, and is just tidier if we put all the internal stuff into WEB-INF...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/09/13 8:15 a.m.22 views

XSS Bug in printable link display

A Cross sites scripting vulnerability exists in macro used to render the 'printable' link. Here is an exploit for the vulnerability that works https://servername/wiki/display/a/2007/09/%22%3E%3Cscript%3Ealert'Watchfire%20XSS%20Test%20Successful'%3C/script%3E Bug was found using APPScan...

6.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/09/06 6:57 p.m.22 views

Option to disable "secure" cookie when using HTTPS just for login page

Confluence's "remember me" tickbox doesn't work if the login page is secure, but the rest of the application is unsecured. Seraph's CookieUtils.setCookie method create a secure cookie ref|http://www.apps.ietf.org/rfc/rfc2965.htmlpage-7 if the request had a secure URL, and this cookie isn't sent b...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/08/10 11:43 p.m.22 views

It is possible to see components without logging in

It is possible to see project's components without logging in by just guessing urls, e.g. jira-installation/browse/KEY/component/10881. This will show all the information written on component issues are not shown. This should be restricted so that it is impossible to see any project information...

2.4AI score
Exploits0
Atlassian
Atlassian
added 2007/07/24 7:51 a.m.22 views

Reflected XSS Vulnerability in the Feed Builder

---- Input in the Feed Builder is not properly handled. Insert: code "alert'Gotcha!' code as the feed name title and you get url like this:...

0.5AI score
Exploits0
Atlassian
Atlassian
added 2007/07/23 11:49 a.m.22 views

Vulnerability against DoS attack at permission setting

Description: This bug is similar like this one: http://jira.atlassian.com/browse/CONF-8978. Exploit: Insert to the "Grant permission to" field x thousand comma without sapce...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/19 12:56 p.m.22 views

XSS vulnerability in app/pages/listpages-alphaview.action

Description: XSS via the "startsWith" field in pages/listpages-alphaview.action. Exploit: noformathttp://app/pages/listpages-alphaview.action?key=&startsWith=xss:alertdocument.cookienoformat...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2006/11/29 8:6 a.m.22 views

Directory listing enabled on Tomcat

Tomcat has directory listing enabled by default. This allows browsing directories such as /images/. It seems that the filters do not take action in preventing the unauthorized access. When directory listing is disabled /conf/web.xml in Tomcat directory Jira gives 404 errors. See...

3.8AI score
Exploits0
Atlassian
Atlassian
added 2006/03/27 12:36 a.m.22 views

Support nested groups

panel:title=Resolved in Confluence 3.5|borderStyle=solid|borderColor=3C78B5|titleBGColor=3C78B5|bgColor=E7F4FA We are pleased to advise that support for nested groups is available in Confluence 3.5. You can find instructions on how to configure nested groups in our documentation: Configuring User...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/09/14 4:22 a.m.22 views

A user cannot set the security level to none if the default security level is set

Selecting 'none' always creates an issue with the default security level...

1AI score
Exploits0
Atlassian
Atlassian
added 2005/05/04 4:22 a.m.22 views

LDAP authentication falls back to database check when password is incorrect

If a user is present in LDAP, but the entered password is incorrect, JIRA ought to immediately fail to authenticate them. Instead in 3.2-beta it delegates to the database, and checks the password there...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2004/11/08 2:58 p.m.22 views

A page containing the rss-macro is not displayed if the requested rss-feed is "down"

A page containing the rss-feed macro is not shown if the requested rss-feed is "down" there's no response sent to the browser. It would certainly be better if the page could be displayed anyway; perhaps with a message stating that the feed contents can't be fetched...

0.7AI score
Exploits0
Atlassian
Atlassian
added 2004/08/25 6:33 a.m.22 views

Enhance Seraph SSO support to create users automatically

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-4299. panel Users of SSO systems generally also have some sort of external user management. As a simple first step, JIRA's SSO authenticator...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2003/09/18 8:16 p.m.22 views

should be able to login only via https

you should be able to configure JIRA to login via HTTPS. this is almost possible in 2.4.1. You can specify an https URL in security-config.xml as the login.url parameter. this makes loing links from e.g. the issue view page work correctly. a slight problem here is that the session remiains in the...

Exploits0Affected Software1
Atlassian
Atlassian
added 2002/04/09 2:39 p.m.22 views

Asked to re-authenticate to delete issue

/jira/secure/DeleteIssue!default.jspa?id=10012 everything seems to work ok, but I try to delete previously existing issue and I get redirected to the URL above. instead of a delete issue page, I get a login page, only it looks messed up - it's the login form table miniwindow except spread 100%...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/05/11 11:32 p.m.21 views

RCE (Remote Code Execution) at com.fasterxml.jackson.core:jackson-core dependency in Crucible Server

This High severity RCE Remote Code Execution vulnerability was introduced in version 4.9.0 of Crucible Server. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N allows an unauthenticated...

8.7CVSS6.1AI score0.00634EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.21 views

File Inclusion in Jira Service Management Data Center

This High severity File Inclusion vulnerability was introduced in versions 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.4, 11.0.0, 11.1.0, 11.2.1, and 11.3.0 of Jira Service Management Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2...

8.6CVSS6.7AI score0.00408EPSS
Exploits2
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.21 views

File Inclusion in Jira Service Management Data Center

This High severity File Inclusion vulnerability was introduced in version 11.3.3 of Jira Service Management Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N allows an unauthenticated...

8.2CVSS6.8AI score0.00253EPSS
Exploits4
Atlassian
Atlassian
added 2026/05/05 4:29 p.m.21 views

DoS (Denial of Service) in Jira Software Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.17.2, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.1, 10.5.0, 10.6.0, 10.7.2, 11.0.1, 11.1.0, 11.2.0, and 11.3.0 of Jira Software Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS...

7.5CVSS6.9AI score0.02591EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/16 9:26 p.m.21 views

DoS (Denial of Service) net.minidev:json-smart Dependency in Jira Software Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.12.1, 10.3.0, and 11.3.0 of Jira Software Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated...

7.5CVSS5.8AI score0.01119EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/16 1:22 p.m.21 views

MITM (Man-in-the-Middle) com.squareup.okhttp3:okhttp Dependency in Jira Service Management Data Center and Server

This High severity MITM Man-in-the-Middle vulnerability was introduced in version 10.3.0 of Jira Service Management Data Center and Server. This vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of code:java CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:Ncode allows an unauthenticated attack...

7.5CVSS6.9AI score0.00877EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/14 4:29 a.m.21 views

RCE (Remote Code Execution) at c3p0 dependency in Crucible Server

This High severity RCE Remote Code Execution vulnerability was introduced in version 4.9.0 of Crucible Server. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.9 and a CVSS Vector of code:java CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H code allows an...

8.9CVSS6.3AI score0.00534EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/10 10:29 p.m.21 views

DoS (Denial of Service) io.netty:netty-codec-http2 Dependency in Confluence Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 8.9.0, 9.0.1, 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of...

8.7CVSS5.8AI score0.01125EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/08 4:29 a.m.21 views

DoS (Denial of Service) com.squareup.okio:okio Dependency in Jira Service Management Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 5.15.0, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 11.0.1, 11.1.0, 11.2.0, and 11.3.0 of Jira Service Management Data Center. This DoS Denial of Service vulnerability, with a CVSS Score ...

7.5CVSS6.7AI score0.01077EPSS
Exploits1
Total number of security vulnerabilities4295