4295 matches found
Information disclosure - full path disclosure
Jira displays charts on the dashboard by writting a temporary file in Jira "tmp" folder and reading it through a page called "charts" When the filename provided to this page is not present, an error message displays the full path to the "tmp" folder, which lies in Jira directory. This is a...
Use of atlassian-whitelist plugin allows CORS access to origins which it should not
The ApplicationLinkMatcher class|https://bitbucket.org/atlassian/atlassian-whitelist/src/9ba2728450d8fe880d3d30e74cc0c75a427e66fb/atlassian-whitelist-api-plugin/src/main/java/com/atlassian/plugins/whitelist/applinks/ApplicationLinkMatcher.java?at=master and the SelfUrlMatcher...
Use of atlassian-whitelist plugin allows CORS access to origins which it should not
The ApplicationLinkMatcher class|https://bitbucket.org/atlassian/atlassian-whitelist/src/9ba2728450d8fe880d3d30e74cc0c75a427e66fb/atlassian-whitelist-api-plugin/src/main/java/com/atlassian/plugins/whitelist/applinks/ApplicationLinkMatcher.java?at=master and the SelfUrlMatcher...
Use of atlassian-whitelist plugin allows CORS access to origins which it should not
The ApplicationLinkMatcher class|https://bitbucket.org/atlassian/atlassian-whitelist/src/9ba2728450d8fe880d3d30e74cc0c75a427e66fb/atlassian-whitelist-api-plugin/src/main/java/com/atlassian/plugins/whitelist/applinks/ApplicationLinkMatcher.java?at=master and the SelfUrlMatcher...
XSS vulnerability in "children" macro when displaying excerpts
Create a parent page A with a child page B - Add an \excerpt\ macro to B containing the text alert"Gotcha!"; - Add the \children\ macro to page A, with "Show excerpts" checked - Alert is shown when viewing A This is currently present on EAC - likely to be in released versions; not tested yet...
SSLv3 Is Not Disabled When sslProtocol is Set to TLS, Vulnerable to POODLE
The default connector as written in /conf/server.xml uses sslProtocol="TLS". This should only enable TLS connectors, but it also enables SSLv3. Our documentation and the included server.xml need to be updated to reflect the correct settings to enable only TLS. h3. Reproduction steps: Follow the...
Activity stream on JAC contains updates from another user
Jira prompted me to change my time zone, and brought me to a profile that seems to be for a completely different user who happens to share my first name and last initial. See attached screen shot. Going directly to https://secretlocation.atlassian.net/secure/ViewProfile.jspa shows me the proper...
Adding Subscription Cal by URL stores user password unencrypted
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-48402. panel I discovered that calendar subscriptions not only store user credentials, but do so unencrypted!!! There is really ...
Confluence Security Settings not respected by Confluence Questions
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47587. panel Hi Atlassian team, in our Confluence configuration we set "User email visibility" to "only visible to site...
Tools/Share sends e-mail to disabled users
I have Confluence/JIRA latest versions self hosted. Confluence gets its users from JIRA. I created a new topic and then used the Tools/Share option to notify all of the new topic. I used "jira-users" to send the message to. It sent to everyone including disabled users. I would expect the behavior...
Stored XSS Vulnerability found on Atlassian
Hi ! My name is Andi Rrahmani and i am an Independent Security Researcher. I am writing this email to let you know of a Stored XSS Vulnerability that i found on atlassian.com . You will have the POC as an atachment to this report that i am making. Now i will show you in details how i managed to...
Stored XSS Vulnerability found on Atlassian
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47027. panel Hi ! I am writing this email to let you know of a Stored XSS Vulnerability that i found on atlassian.com . You will...
Password for LDAP Connection Displayed in the "directoryConfigurationSummary.txt" file
In the Support.zip|https://confluence.atlassian.com/display/DOC/Troubleshooting+Problems+and+Requesting+Technical+SupportTroubleshootingProblemsandRequestingTechnicalSupport-Method1:UsingtheSupportRequestFormviatheConfluenceAdministrationConsole there is a file named...
Escape or filter script tags in "all activity" panel
We've got an external report about a third party plugin: quote From: Vincent Ollivier Date: 29 July 2014 13:12 Subject: JIRA 6.2.5 / JEditor XSS Vulnerability To: [email protected] Hi, Sorry for the email, I couldn't find the correct project to report this security issue. There's an XSS in...
XSS using WebFragmentBuilder for WebItemProvider
The label is not escaped properly when using WebFragmentBuilder to generate links for JIRA's nav dropdown. This only happens when is not present in the relevant WebSection...
XSS when adding Stash Linked Repositories
Stash server title in the "Stash server" dropdown is not being escaped and if it contains a script tag that script will be eval'd. Our Stash QA test data has the server title "Welcome to alert666 Long Ståш Title with ..." which causes the "666" to alert when the "Add repository" button is clicked...
REST API allows to get worklog from issue without access rights to that issue
On JIRA OnDemand v6.3-OD-08-005-WN also here! it's possible to get worklog by it's ID even if this worklog does not belong to issue passed in API url. Example: On our OnDemand instance I have access rights to . When I add worklog to this issue via REST API, I get its id . Now, when I call GET...
Upgrade to Application Links 4.2.4, SAL 2.12.2+
We have vulnerability in application links: https://jira.atlassian.com/browse/JRA-38918 Bumping applinks to 4.2.4 and SAL to 2.10.20 will fix the problem. Product should implement IFRAME page capability in their login page provided by LoginUriProvider...
Reflected XSS affecting Confluence via Gadgets
Steps to recreate: 1. To view the reflected XSS affecting JIRA, present on the current JIRA installation jira.atlassian.com visit the following link: noformat...
Seemingly malformed PNG file will cause JIRA to OOM within seconds
.atlassian.net was chain-OOM-ing earlier today. jworley was able to narrow it down to an image attachment on a particular issue. It's only a 300KB PNG file a screenshot from an Android device but it causes JIRA to OOM almost immediately. I've been able to replicate that behaviour on my jira-dev...
Flash content-type sniffing allows Cross Site Data Hijacking
As documented at http://blog.detectify.com/post/86298380233/the-pitfalls-of-allowing-file-uploads-on-your-website it is possible to upload a flash file to confluence with a different content-type than for flash and when embedded on an attacker's domain will be able to make requests to the...
Disabled user are still able to request for password reset email.
h3. Step to Reproduce: Disable a user test in Crowd administration console make sure that there is no duplicate user Request password reset for the disabled user test h3. Expected result No mail will be sent to disabled account. h3. Observerd Result. The disabled user still receive the password...
Indexable User Content (Attachments) on Google
User content uploaded onto answers.atlassian.com is indexable by Google due to the lack of appropriate indexing rules such as those in /robots.txt. Additionally, such content being indexed can be removed from Google by consulting Google's Webmaster tools. An example of indexable content is below:...
Indexable User Content (Attachments) on Google
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-47021. panel User content uploaded onto answers.atlassian.com is indexable by Google due to the lack of appropriate indexing...
Multiple CSRF vulnerabilties in Question/Answer Threads
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-47240. panel Multiple CSRF vulnerabilities exist on answers.atlassian.com where an attacker can potentially perform actions suc...
Multiple CSRF vulnerabilties in Question/Answer Threads
Multiple CSRF vulnerabilities exist on answers.atlassian.com where an attacker can potentially perform actions such as the following, if the victim visits the attackers malicious resource: Confirmed affected: - Upvoting of answers - Downvoting of answers - Deletion of answers or comments - Liking...
Multiple CSRF vulnerabilties in Question/Answer Threads
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47240. panel Multiple CSRF vulnerabilities exist on answers.atlassian.com where an attacker can potentially perform actions such...
Upgrading to 5.5.1 from 5.4.3 didn't update xwork from 1.13 to 1.17
We recently upgraded our instance following your security advisory. It was discovered shortly after the upgrade that the xwork file that was vulnerable 1.13 was not upgraded to the safe version 1.17. This could have just been specific to our instance but you should check your upgrade process and...
prevent crashing when running out of database connections
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-33522. panel One common total crash for Confluence is when it does run out of database connection. Any reliable web application...
Restrictions do not apply in calendar macro
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-49762. panel Team Calendar restrictions do not apply if the calendar is in a Calendar Macro withing a Confluence page. +Repro...
JSON-RPC API allows anonymous content rendering
The renderContent method can be used by anonymous users, leaking information, and allowing macro execution. Should the entire JSON-RPC be inaccessible to anonymous users if anonymous users can't use confluence?...
Automatic access added to newly added bitbucket account without notificiation
Steps to replicate: Add a new bitbucket account to your JIRA OnDemand instance via the DVCS connector. Click on the cog to the right of your new account and view 'configure automatic access' Result: Automatic access will be set up and membership to the 'developers' group will be granted Expected...
Project description is persistent XSS vector for project admins
This issue is a clone of another one that was fixed in OD but left unfixed in BTF as "admin xss". It has been pointed out by several customers that this exploit requires only project admin level of privilege. The following project description: code alert1 code Pops up in the view project page, th...
XSS on several select lists
Steps to reproduce: -Create a new issue type -Add "alert'Issue name' as Issue name mind the qoute at the beginning -Add "alert'Issue desc' as Issue Description -Add /images/icons/issuetypes/genericissue.png "alert'Issue icon' as Issue Icon -Make sure that this issue type is available on your...
Whitelist or blacklist for inline attachment display
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-32204. panel Currently, there are three Attachment Download Security Policy: Default Insecure Secure !sample.png! It would be...
@mention Notification for Comments on Restricted Page in Confluence 5.4.x
In Confluence 5.4.x versions, the user is getting comment notifications in a page that he's restricted to view. If you restrict an user to view or edit the page through 'Tools Restrictions' and then comment in a page, the user will get the notification about it in the Workbox. h4.Steps to...
Administrator can change avatar without establishing a Secure Administrator Session (WebSudo)
Administrator can click on avatar of another user and change the avatar. This doesn't require the administrator user to establish a websudo session...
Content with inherited restrictions still appears in search results
I don't know the full story here but there have been numerous reports on EAC now of cases where clicking on a search result gives a 'Not permitted' response. Further investigation by an admin will show that in these cases a parent or grandparent has viewing restrictions applied. It would appear...
Password reset emails are unusable on Outlook Web Access
When viewing a requested password reset email in Outlook webmail a user cannot see the button representing the main required action. Screenshot attached shows text highlighted to better demonstrate the issue White text on White background. Probably an Outlook issue but I think there might be...
Password reset emails are unusable on Outlook Web Access
When viewing a requested password reset email in Outlook webmail a user cannot see the button representing the main required action. Screenshot attached shows text highlighted to better demonstrate the issue White text on White background. Probably an Outlook issue but I think there might be...
XSS vulnerability in JIRA description field
Using a link like: code https://x.x.com/x= please click here onmousemove=alert1 code shows a serious XSS vulnerability - using error correction in browsers Firefox 24 - in the JIRA description field and most likely every other wiki-style rendered field. Example: https://x.x.com/x= please click he...
XSS vulnerability in JIRA description field
Using a link like: code https://x.x.com/x= please click here onmousemove=alert1 code shows a serious XSS vulnerability - using error correction in browsers Firefox 24 - in the JIRA description field and most likely every other wiki-style rendered field. Example: https://x.x.com/x= please click he...
Missing access controls in loadattachmentversions action
The loadattachmentsversions action is accessible to any user of Confluence and returns version history information for an attachment. No access controls appear to be implemented for this action and any user of Confluence can obtain version history for any attachment, including those on pages in...
Miscellaneous actions are vulnerable to CSRF
This issue is to track the following subset of actions from CONF-27690: StartClusterAction, execute ExternalUserConnectivityAction, execute HandleNameConflictsAction, execute FlushIndexQueueAction, execute ContentRemigrationAction, execute...
CSRF in resetstylesheet.action
SpaceEditStylesheetAction.doReset EditStylesheetAction.doReset...
XSS in Hot Referrers
To reproduce: 1. Run the following command, replacing \PAGEURL with the URL of a new page and \USERNAME and \PASSWORD with your credentials if anonymous access is not enabled: code:none curl 'PAGEURL' -H 'Referer: https://example.com/x"xx' -u 'USERNAME:PASSWORD' -si code 2. Repeat step 1 a few...
Doconfiguretheme action accessible to non-administrative users
The doconfiguretheme action allows for configuration of the Documentation theme for Confluence. This action is defined in two namespaces, one of which is accessible by any user of Confluence including anonymous users, if anonymous use of Confluence is allowed. If this action is executed with no...
RSS Macro should not trust all content from the origin server by default.
The RSS feed macro currently appears to be enabled by default in Confluence. This is contrary to the information contained in the following Confluence documentation: https://confluence.atlassian.com/display/DOC/RSS+Feed+Macro While a whitelist is enforced by default, as confluence implicitly trus...
Persistent cross-site scripting (XSS) via DailyMotionRenderer
A number of renderer classes used by the widget macro were previously identified that contained URL validation flaws leading to persistent cross-site scripting XSS vulnerabilities. The modified classes now make use of the isUrlMatch method from the WidgetConnectorUtil class in the implementation ...
XSS in admin/ViewIssueFields.jspa
Reproduction: 1. Create custom fields with alert1 in name and/or description. 2. Go to 'Field Configurations' 3. Click 'Add Field Configuration', enter any text in 'Name' 4. Hit okay and wait for the page to refresh 5. Choose the config you just made - XSSed...