4295 matches found
rememberme cookie is not cleared when user changes password in Confluence
When a user changes their password, the seraph cookie is still valid. To avoid this, all entries for the changed user in the table remembermetoken should be removed...
rememberme cookie is not cleared when user changes password in Confluence
When a user changes their password, the seraph cookie is still valid. To avoid this, all entries for the changed user in the table remembermetoken should be removed...
The application should return caching directives instructing browsers not to store local copies of any sensitive data.
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-29625. panel We want to control the server's caching directives from within individual scripts. We have identified following locations, wher...
Inherit Edit Restrictions for Child Pages
As it said in Documentation for Page Restrictions|https://confluence.atlassian.com/display/DOC/Page+Restrictions: quote'Edit' restrictions are not inherited from the parent page, only from the space. In a space, the 'Add Pages' permission governs both the creation and the editiing of pages. See...
GH Webwork actions are vulnerable to XSRF.
GHCreateNewIssue.jspa is not protected against XSRF attacks. Impact: It is possible for an attacker to make a victim create new issues on the victim's JIRA instance through this bug in GHCreateNewIssue.jspa...
There is a reflected xss flaw in the settings.action of dailysummary settings.action.
There is a reflected xss flaw in the settings.action of dailysummary settings.action as the username parameter is not html encoded before being rendered on the page. Here is an example of a reflected xss it adds a picture of a lolcat to the page...
Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-29213. panel Starting JIRA 5.1, the embedded crowd has been upgraded from version 2.3.2 to 2.4. This includes the security fix CWD-2690 won'...
ValidationHash generation should use random.SystemRandom instead of random class
ValidationHash generation should use random.SystemRandom instead of the random.Random class when generating a random seed for new hash objects. code from random import Random .... class ValidationHashManager models.Manager : def generatemd5hash self, user, type, hashdata, seed : return md5...
XSS vulnerability in Office Connector plugin
From: OFFCONN-81: Using "office excel"-macro as part of viewfile, which is part of office connector plugin seems to open up the possibility to get injected with XSS-code. Steps to reproduce: 1. Create an excel-file with following content in one cell: code '"alert'XSS' code 2. Attach this file to ...
Several REST interfaces vulnerable to XSRF
Several REST web services are vulnerable to XSRF|https://www.owasp.org/index.php/Cross-SiteRequestForgeryCSRF, allowing malicious web pages to execute them under the context of a logged in users browser. It's understood that JIRA REST interfaces are typically protected against XSRF based on the...
OauthApplinksServlet Open Redirect
The OauthApplinksServlet servlet has an open redirect vulnerability in the doGet that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated before redirec...
CSRF in the "configure custom field" Multi Checkboxes add new custom field option screen
The administration screen which facilitates the addition of new custom field options is vulnerable to csrf, as it does not check that the atltoken submitted is in fact legitimate for the user submitting it you can put in any value for the token field. To access this screen you can go to a url...
CSRF in the "configure custom field" Multi Checkboxes add new custom field option screen
The administration screen which facilitates the addition of new custom field options is vulnerable to csrf, as it does not check that the atltoken submitted is in fact legitimate for the user submitting it you can put in any value for the token field. To access this screen you can go to a url...
The vulnerability exists in the standalone and also in the online demonstration enviroment.
It is possible to anonymously enumerate all usernames via the script at /rest/prototype/1/search/user.json?max-results=10&query=XX. The 'query' GET parameter should contain at least two charakters. It is possible to enumerate all usernames by performing a search from 'query' value 'aa' to 'zz'...
admin/fixCaseInNotifications.jsp lacks an XSRF token to start 'notifications fix'
admin/fixCaseInNotifications.jsp does not require a csrf to start 'notifications fix'. When fixing this issue, please ensure that the JSP is converted to an action or deleted - we don't want to have to maintain our XSRF infrastructure in JSPs...
restructureattachments.jsp Triggering off a Restructure job lacks an XSRF token
In restructureattachments.jsp Triggering off a Restructure job does not require a csrf token. To trigger it just send a POST to the page with the following post data: 'action:Restructure'. When fixing this issue, please ensure that the JSP is converted to an action or deleted - we don't want to...
Confluence Page View Restriction is not Inherited when Ancestor CONFANCESTORS Table Gets out of Sync
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-25189. panel When Confluence ancestor CONFANCESTORS table gets out of sync or corrupted. Page View restriction are not inherited...
Disable browser password save on Admin page in Firefox
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-25008. panel In Chrome, Safari and IE there is no browser prompt to store the password but on Firefox both Mac and Windows I get...
RSS feed over entire site gives information on restricted pages the user should not see
A customer has reported this issue via a comment on the documentation: http://confluence.atlassian.com/display/DOC/Working+with+RSS+Feeds?focusedCommentId=276627497comment-276627497 quote When someone has an RSS feed covering the whole Confluence instance, he is informed about changes in restrict...
Comment field on GH cards do not respect the comment visibility.
If you add the Comment field on any Issue Views on GH the field shows the latest comment but it doesn't inherit the comment visibility from Jira. This misbehaviour happens on Planning board and Task board with any GH views Summaries, Cards and Lists. Steps to Reproduce: Add the comment field to a...
XSS vulnerability in user's profile display name
We have identified and fixed a stored cross-site scripting XSS vulnerability in the FishEye user profile. Affected versions are all versions earlier than 2.5.5 XSS vulnerabilities allow an attacker to embed their own JavaScript into a FishEye page. You can read more about XSS attacks at various...
XSS vulnerability in user's profile display name
We have identified and fixed a stored cross-site scripting XSS vulnerability in the FishEye user profile. Affected versions are all versions earlier than 2.5.5 XSS vulnerabilities allow an attacker to embed their own JavaScript into a FishEye page. You can read more about XSS attacks at various...
View PDF Macro in Office Connector makes http fetch from Adobe from https session
The View PDF macro within the Office Connector plugin provides the following http URL even for https sessions when a user's browser fails the Flash installed test. http://www.adobe.com/images/shared/downloadbuttons/getflashplayer.gif It's bad form to mix http urls in with secured https sessions a...
XSS Vulnerability in Administration Interface of JIRA Bamboo Plugin
We have identified and fixed a cross-site scripting XSS vulnerability in JIRA administration interface. Affected version is JIRA 4.3.x XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a JIRA page. You can read more about XSS attacks at various places on the web...
Inline attachment downloads vulnerable to XSS by setting tweaked HTML content type
Please see CONFDEV-9069 https://jira.atlassian.com/browse/CONFDEV-9069 for the current issue addressed at fixing attachment XSS vulnerabilities. --- TLDR: white-list mime-types which can be served "inline" and don't let the user set arbitrary mime-types. I have been having a good laugh sorry...
Better error message when viewing an embedded calendar as an unprivileged user
On our site's dashboard I have a calendar macro defined as: codecalendar:id=8f564b4b-afed-4ceb-b206-2e426f595648,a80c628d-5155-40bc-8a55-0874fb77bf71code The result is something that looks like this: !User with View Rights.JPEG! After using the new features from TEAMCAL-102 to restrict view acces...
GeneralUtil.htmlEscapeQuotes should be annotated HtmlSafe
The GeneralUtil.htmlEscapeQuotes method outputs HTML and thus should be annotated as @HtmlSafe. Not doing so causes its output to be double escaped when automatic escaping is enabled for the plugin/velocity template...
On internal error, JIRA will display error information to the user (in the browser)
When JIRA bundled tomcat?? encounters an internal error it displays error information to the user in the browser. This can leak internal, possibly sensitive, information. It should report that there was an error and inform the user to contact their JIRA admin...
Members of confluence-administrators receive notifications for comments and attachments on restricted pages
Members of the special confluence-administrators group have access to all content on the site, however they should not see restricted content in search results or get notifications about changes on restricted pages. There is a bug in the permission check for notifications about "contained" object...
HTML file type attachments are automatically rendered in IE.
h1. Steps to reproduce Create following HTML file and upload to any of Confluence page. code alert"Cookie: " + document.cookie; code Open the file on Internet Explorer 7. Then, you will see the javascript in that HTML file executed automatically. Issue happens with IE9,8,7 with Confluence 3.5...
When configured for Internal Database with LDAP for Authentication Only, Confluence does not check the LDAP when authenticating users
Configured Confluence to keep and manage users in its internal database, but to first try to use LDAP for authentication only, via the new interface. Debug output suggests Confluence is not bothering to check the LDAP at any point during the authentication process. More detail is available here:...
"Forgot Password" feature should not reveal that a given username exists within Confluence for security reason
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-22388. panel It is possible to see which user exists on Confluence or not from within "Forgot Password" link. This is bad for...
Profile picture thumbnail generation can consume unlimited amount of memory
Discovered a Studio customer, you can upload a very large profile picture to expose the same problem as CONF-21480, just in a different area of the application. We should limit the size of images we're willing to load into memory to avoid this problem with user pictures...
User Enumeration
Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that at least two vulnerabilities regarding User Enumeration were found within the software. Case 1: Logged In Whenever a logged user accesses the Url...
Admin menu items displayed to non-admins when accessing "Global Templates" page
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-21562. panel When accessing the "Global Templates" menu as a non-admin, the navigation controls for the administration panel are...
Increase the web session timeout from 60 minutes to 300 minutes
Usability and security testing have shown that XSRF time out is annoying people in the wild. The security guy Vitaly has ok'ed the limit to be increased. This has been done on trunk along with other changes and should be done on 4.3 branch as well...
Security Vulnerability in Confluence Remote API
We have identified and fixed a vulnerability in the Remote API which affects Confluence instances, including publicly available instances. The Remote API|http://confluence.atlassian.com/display/DOC/Enabling+the+Remote+API allows an attacker to escalate user privileges, excluding the level of syst...
Confluence features that require password confirmation (websudo, captcha) do not work with custom authentication
When user is required to confirm the password, Confluence always checks the entered password against the internally stored user/password. If an instance is configured to use custom authentication which is different from atlassian-user, the password validation will fail. h3. Resolution This is fix...
XSRF vulnerability in the Mail Page plugin
We have identified and fixed a cross-site request forgery XSRF vulnerability which may affect Confluence instances in a public environment. The XSRF vulnerability is exposed in the Confluence Mail Page plugin. Note that the Mail Page plugin is disabled by default. If you do not have this plugin...
XSS vulnerability in the Office Connector
We have identified and fixed a cross-site scripting XSS vulnerability which may affect Confluence instances in a public environment. The XSS vulnerability is exposed in the document import function of the Confluence Office Connector. An attacker might take advantage of the vulnerability to steal...
websudo annotation backwards compatibility (Confluence 3.3)
Following this guide|http://confluence.atlassian.com/pages/viewpage.action?pageId=219021702, I started to use the websudo annotations to secure an XWork action that would process a form in the space admin tab. The plugin is meant to work with Confluence 3.3 and I haven't released a public version...
sudo is decorated with global decorator
The reasoning behind preventing theme developers from theming the admin areas was because if you don't know what you are doing then you can mess things up to such an extent that you are unable to use confluence. By decorating the sudo login pages using the global decorator it exposes the user to...
XSS vulnerability in PDF export
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence action that performs the export to PDF. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's o...
Require user to answer CAPTCHA after three failed attempts
Require user to answer CAPTCHA after three failed attempts. For SOAP and XMLRPC this means that the user will have to open a browser to answer the CAPTCHA, similar to how google does it. This issue has been rated MODERATE. Please refer to http://confluence.atlassian.com/x/ZILmD for details on oth...
brute force password attack protection by default
We have added an upgrade task to set jira.maximum.authentication.attempts.allowed=5 on all instances even if they previous had set it to something else. This is to ensure that systems are more safe by default...
Group picker popup JSP has XSS hole if group names are XSS shaped
If a group name has a XSS shaped name, then the group picker will allow scripts to be executed...
screenshot-redirecter.jsp XSS attach via the afterURL parameter
The screenshot-redirector.jsp does note escape the 'afterURL' URL parameter correctly, leading to an XSS attack vector...
issuelinkssmall.jsp has an XSS hole via the URL used to access it
The issuelinkssmall.jsp has an XSS hole, where if the URL contains an XSS string, the ww:url tag will include that tag in the page because the value attribute was left empty...
JQL breaks issue security levels based on custom fields
The MultiSelectCustomFieldIndexer does 2 things: index but don't store a case-folded version in the field "customfield10017:retail" store a "raw" version in a new field with the raw added to the end "customfield10017raw:Retail" The problem is that com.atlassian.jira.security.type.GroupCF looks fo...
Confluence adminsistrators can still view a restricted page if the type in the URL or click on a link in an email
If I set page viewing restrictions on a wki page to one group of which I am a member, other users, including confluence adminsistrators, cannot see the page when navigating within the application. If they type in the URL of the restricted page or click on a link to the restricted page, then can...