Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2009/01/05 1:54 p.m.22 views

Assignment of JSESSIONIDs

I believe it should be a feature in future versions of Confluence to assign a different JSESSIONID to the user's session once they have authenticated and logged in to the site. This is to differentiate between a user's session before they have logged in and after they have authenticated and have ...

2.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/10/01 10:56 p.m.22 views

Restrict access to page history to certain users (or groups)

A customer requested for a new feature to restrict access to page history only to a particular group or certain users...

2.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/09/15 4:42 p.m.22 views

XSS in pagetree plugin

The pagetree plugin is vulnerable for XSS injecting the code in the treeId field. Example below:...

6.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/08/25 10:33 a.m.22 views

Hidden pages' content can be viewed without permission using diffpages.action

If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL. EG: Two spaces A and B Page with id 1 is in Space A Page with id 2 is in Space B User cannot see Space A User can see Space ...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/06/04 1:58 a.m.22 views

SSO credentials not used in IssueViewURLHandler

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-15048. panel A customer has created a SSO plugin and are facing some specific issues in this context. When they click on the printable link o...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/04/24 5:54 a.m.22 views

Implement login using google Authentication

We are a small company , and we are using Google for mail , calender etc ... For now we are using open ldap to authenticate users for our Jira But we would like to have a sort of SSO , using google users and password It will be great to be able to configure Jira , to check the users password...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/04/22 5:36 p.m.22 views

Remember my password with LDAP

At the login screen, when we click on 'Remember my login on this computer' and login, everything works well. When we close the browser without logout, the login should be remember on this computer. When we try to get back into Jira, here's the bug that we have into our log file. 2008-04-22...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/04/10 10:12 p.m.22 views

Some users' logins are not remembered using Tomcat

When using Confluence, and Tomcat 5.5.26 or Tomcat 6 some users may find that their logins are not remembered. This is because of a bug in Tomcat's cookie handling. This is logged against the Atlassian Seraph library used by Confluence as SER-117. SER-117 has been fixed, so we "just" need to use ...

3.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/04/08 9:34 a.m.22 views

It's possible to browse project names when using Issue Security Scheme.

A customer user is set up and only allowed to see "External" issues. - The user is added as project role "Customers" in project "X". - The project got Issue Security Scheme "Customers". Internal / External When logging in as the customer user, you can only see the External issues within this...

2.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/18 4:38 a.m.22 views

XSS vulnerability in social bookmarking plugin bundled in Confluence

The social bookmarking plugin is bundled in Confluence 2.7.x and Confluence 2.6.x. As such this vulnerability affects all 2.7.x and 2.6.x instances even if you do not use the plugin or do not have the Add Bookmark Web Item enabled. The updatebookmark.action URL is vulnerable on these parameters: ...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2008/03/17 7:12 a.m.22 views

XSS vulnerabilities in insert image and link actions

In 2.7.x, the following URL's are vulnerable: - /users/insertlink.action - /users/insertlink-page-attachmentstab.action - /users/insertlink-page-uploadfile.action - /users/insertlink-draft-attachmentstab.action - /users/insertlink-draft-uploadfile.action - /users/doinsertimageinpage.action -...

4.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/17 7:12 a.m.22 views

XSS vulnerabilities in insert image and link actions

In 2.7.x, the following URL's are vulnerable: - /users/insertlink.action - /users/insertlink-page-attachmentstab.action - /users/insertlink-page-uploadfile.action - /users/insertlink-draft-attachmentstab.action - /users/insertlink-draft-uploadfile.action - /users/doinsertimageinpage.action -...

4.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/10 4:58 a.m.22 views

XSS vulnerability in signup actions

Vulnerable URL's: - signup.action - dosignup.action on username, email, password, confirm, fullname...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/10 4:44 a.m.22 views

viewuser.action has an XSS problem around username

Steps to reproduce: create a user with username: foo"alert'hello';span class="ff you should get an alert when you are redirected to viewuser.action to view the user you just created...

1.7AI score
Exploits0
Atlassian
Atlassian
added 2008/02/08 2:18 p.m.22 views

Seperate label permissions from edit issue permission

In 3.11 the labels plugin changed so that manipulating labels required the "Edit Issue" permission. This drastically impacted our organizations workflow, as we'd just introduced labels in our previous upgrade, and we don't give "edit issues" to all users, but we do want all authenticated users to...

1.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/02/08 2:18 p.m.22 views

Seperate label permissions from edit issue permission

In 3.11 the labels plugin changed so that manipulating labels required the "Edit Issue" permission. This drastically impacted our organizations workflow, as we'd just introduced labels in our previous upgrade, and we don't give "edit issues" to all users, but we do want all authenticated users to...

1.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/01/23 2:4 p.m.22 views

Different IE browser windows have different sessions and different session timeout timing

One of our user reported the following: ---- I discovered the reason why JIRA sometimes closes my IE session, it depends on the way you login: 1 When you login via navigation to your home page http://support/jira/secure/Dashboard.jspa all is ok, multiple JIRA sessions never expire. 2 When you log...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/11/12 3:22 a.m.22 views

Bulk Move does not update the Security Level of subtasks

When doing a bulk move, Parent issues moved to a new project must take any subtasks with them. If the new project has a different Issue Security scheme, then issues should get the default issue security in the new project. Currently a bulk move will change the security setting of parent issues, b...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/10/17 12:34 a.m.22 views

Move velocity templates and other web resources into WEB-INF in the Confluence webapp

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-9730. panel It presents a small information leak, and is just tidier if we put all the internal stuff into WEB-INF...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/09/13 8:15 a.m.22 views

XSS Bug in printable link display

A Cross sites scripting vulnerability exists in macro used to render the 'printable' link. Here is an exploit for the vulnerability that works https://servername/wiki/display/a/2007/09/%22%3E%3Cscript%3Ealert'Watchfire%20XSS%20Test%20Successful'%3C/script%3E Bug was found using APPScan...

6.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/08/10 11:43 p.m.22 views

It is possible to see components without logging in

It is possible to see project's components without logging in by just guessing urls, e.g. jira-installation/browse/KEY/component/10881. This will show all the information written on component issues are not shown. This should be restricted so that it is impossible to see any project information...

2.4AI score
Exploits0
Atlassian
Atlassian
added 2007/07/24 7:51 a.m.22 views

Reflected XSS Vulnerability in the Feed Builder

---- Input in the Feed Builder is not properly handled. Insert: code "alert'Gotcha!' code as the feed name title and you get url like this:...

0.5AI score
Exploits0
Atlassian
Atlassian
added 2007/07/23 11:49 a.m.22 views

Vulnerability against DoS attack at permission setting

Description: This bug is similar like this one: http://jira.atlassian.com/browse/CONF-8978. Exploit: Insert to the "Grant permission to" field x thousand comma without sapce...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/19 12:56 p.m.22 views

XSS vulnerability in app/pages/listpages-alphaview.action

Description: XSS via the "startsWith" field in pages/listpages-alphaview.action. Exploit: noformathttp://app/pages/listpages-alphaview.action?key=&startsWith=xss:alertdocument.cookienoformat...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/05/18 6:7 p.m.22 views

Assign Groups to Project Role screen allows entry of users as groups

When assigning groups to a project role, the screen allows the user to specify a group that is really a user name...

2.5AI score
Exploits0
Atlassian
Atlassian
added 2007/03/15 10:22 p.m.22 views

Data anonymiser does not blank out SMTP server username and password

SMTP server username and password are readable in database/xml export: This can possible security leak e.g. when you sent support request, where you send database export to support. Anonymizer does not remove these values. ---- Username and password should be encoded format in database...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/02/18 10:28 p.m.22 views

Deleting user does not remove the user from a permission scheme

If a single user is added to a permission in a permission scheme, deleting this user will not remove him/her from the permission scheme. This results in stack traces in the logs such as: noformat 2007-02-14 14:10:57,882 WARN atlassian.jira.scheme.AbstractSchemeManager 'fred' is not a valid user...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2006/11/29 8:6 a.m.22 views

Directory listing enabled on Tomcat

Tomcat has directory listing enabled by default. This allows browsing directories such as /images/. It seems that the filters do not take action in preventing the unauthorized access. When directory listing is disabled /conf/web.xml in Tomcat directory Jira gives 404 errors. See...

3.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2006/11/29 8:6 a.m.22 views

Directory listing enabled on Tomcat

Tomcat has directory listing enabled by default. This allows browsing directories such as /images/. It seems that the filters do not take action in preventing the unauthorized access. When directory listing is disabled /conf/web.xml in Tomcat directory Jira gives 404 errors. See...

3.8AI score
Exploits0
Atlassian
Atlassian
added 2005/09/14 4:22 a.m.22 views

A user cannot set the security level to none if the default security level is set

Selecting 'none' always creates an issue with the default security level...

1AI score
Exploits0
Atlassian
Atlassian
added 2005/05/04 4:22 a.m.22 views

LDAP authentication falls back to database check when password is incorrect

If a user is present in LDAP, but the entered password is incorrect, JIRA ought to immediately fail to authenticate them. Instead in 3.2-beta it delegates to the database, and checks the password there...

1.8AI score
Exploits0
Atlassian
Atlassian
added 2004/11/08 2:58 p.m.22 views

A page containing the rss-macro is not displayed if the requested rss-feed is "down"

A page containing the rss-feed macro is not shown if the requested rss-feed is "down" there's no response sent to the browser. It would certainly be better if the page could be displayed anyway; perhaps with a message stating that the feed contents can't be fetched...

0.7AI score
Exploits0
Atlassian
Atlassian
added 2004/08/25 6:33 a.m.22 views

Enhance Seraph SSO support to create users automatically

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-4299. panel Users of SSO systems generally also have some sort of external user management. As a simple first step, JIRA's SSO authenticator...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/08/25 6:33 a.m.22 views

Enhance Seraph SSO support to create users automatically

Users of SSO systems generally also have some sort of external user management. As a simple first step, JIRA's SSO authenticator could create an OSUser account in JIRA if the SSO authentication succeeds...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/04/01 11:52 a.m.22 views

Character not allowed in user name

A user has sign up with the user name "m&m". The i tried to modify this user. Because the username is passed as url parameter FooServlet?name=m&m : GET or POST method the servlet container cut the name and try to retreive the username named "m" !!! The only way is to use a database client, change...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2002/04/09 2:39 p.m.22 views

Asked to re-authenticate to delete issue

/jira/secure/DeleteIssue!default.jspa?id=10012 everything seems to work ok, but I try to delete previously existing issue and I get redirected to the URL above. instead of a delete issue page, I get a login page, only it looks messed up - it's the login form table miniwindow except spread 100%...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/05/11 11:32 p.m.21 views

RCE (Remote Code Execution) at com.fasterxml.jackson.core:jackson-core dependency in Crucible Server

This High severity RCE Remote Code Execution vulnerability was introduced in version 4.9.0 of Crucible Server. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N allows an unauthenticated...

8.7CVSS6.1AI score0.00634EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.21 views

File Inclusion in Jira Service Management Data Center

This High severity File Inclusion vulnerability was introduced in versions 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.4, 11.0.0, 11.1.0, 11.2.1, and 11.3.0 of Jira Service Management Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2...

8.6CVSS6.7AI score0.00408EPSS
Exploits2
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.21 views

File Inclusion in Jira Service Management Data Center

This High severity File Inclusion vulnerability was introduced in version 11.3.3 of Jira Service Management Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N allows an unauthenticated...

8.2CVSS6.8AI score0.00253EPSS
Exploits4
Atlassian
Atlassian
added 2026/05/05 4:29 p.m.21 views

DoS (Denial of Service) in Jira Service Management Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 5.17.2, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.1, 10.6.0, 10.7.2, 11.0.0, 11.1.0, 11.2.0, and 11.3.0 of Jira Service Management Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 a...

7.5CVSS6.9AI score0.02591EPSS
Exploits1
Atlassian
Atlassian
added 2026/05/05 4:29 p.m.21 views

DoS (Denial of Service) in Jira Software Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.17.2, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.1, 10.5.0, 10.6.0, 10.7.2, 11.0.1, 11.1.0, 11.2.0, and 11.3.0 of Jira Software Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS...

7.5CVSS6.9AI score0.02591EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/16 9:26 p.m.21 views

DoS (Denial of Service) net.minidev:json-smart Dependency in Jira Software Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.12.1, 10.3.0, and 11.3.0 of Jira Software Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated...

7.5CVSS5.8AI score0.01119EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/16 1:22 p.m.21 views

MITM (Man-in-the-Middle) com.squareup.okhttp3:okhttp Dependency in Jira Service Management Data Center and Server

This High severity MITM Man-in-the-Middle vulnerability was introduced in version 10.3.0 of Jira Service Management Data Center and Server. This vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of code:java CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:Ncode allows an unauthenticated attack...

7.5CVSS6.9AI score0.00877EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/14 4:29 a.m.21 views

RCE (Remote Code Execution) at c3p0 dependency in Crucible Server

This High severity RCE Remote Code Execution vulnerability was introduced in version 4.9.0 of Crucible Server. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.9 and a CVSS Vector of code:java CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H code allows an...

8.9CVSS6.3AI score0.00534EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/10 10:29 p.m.21 views

DoS (Denial of Service) io.netty:netty-codec-http2 Dependency in Confluence Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 8.9.0, 9.0.1, 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of...

8.7CVSS5.8AI score0.01125EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/08 4:29 a.m.21 views

DoS (Denial of Service) com.squareup.okio:okio Dependency in Jira Service Management Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 5.15.0, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 11.0.1, 11.1.0, 11.2.0, and 11.3.0 of Jira Service Management Data Center. This DoS Denial of Service vulnerability, with a CVSS Score ...

7.5CVSS6.7AI score0.01077EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/08 4:29 a.m.21 views

DoS (Denial of Service) css Dependency in Confluence Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.0.1, 9.2.3, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.2, and 10.2.0 of Confluence Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.7AI score0.01121EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/08 4:29 a.m.21 views

File Inclusion node-tar Dependency in Confluence Data Center

This High severity File Inclusion vulnerability was introduced in versions 8.9.0, 9.0.1, 9.0.3, 9.1.0, 9.2.5, 9.5.1, 10.1.2, and 10.2.0 of Confluence Data Center. This File Inclusion vulnerability, with a CVSS Score of 7.1 and a CVSS Vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N allows a...

7.1CVSS5.9AI score0.00288EPSS
Exploits1
Atlassian
Atlassian
added 2026/02/04 12:27 a.m.21 views

Improper Authorization org.springframework:spring-core Dependency in Confluence Data Center and Server

This High severity Improper Authorization vulnerability known as CVE-2025-41249 was introduced in versions 7.19 of Confluence Data Center and Server. This Improper Authorization vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an...

7.5CVSS5.8AI score0.0046EPSS
Exploits0
Atlassian
Atlassian
added 2026/01/19 12:42 a.m.21 views

XSS (Cross Site Scripting) dompurify Dependency in Jira Service Management Data Center and Server

This High severity XSS Cross Site Scripting vulnerability was introduced in versions 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, and 11.1.0 of Jira Service Management Data Center and Server. This XSS Cross Site Scripting vulnerability, with a CV...

7.3CVSS6.6AI score0.00844EPSS
Exploits0
Total number of security vulnerabilities4295