Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2008/03/18 3:16 a.m.21 views

XSS vulnerability in browseusers.vm

browseusers.vm does not escape usernames...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/17 7:12 a.m.21 views

XSS vulnerabilities in insert image and link actions

In 2.7.x, the following URL's are vulnerable: - /users/insertlink.action - /users/insertlink-page-attachmentstab.action - /users/insertlink-page-uploadfile.action - /users/insertlink-draft-attachmentstab.action - /users/insertlink-draft-uploadfile.action - /users/doinsertimageinpage.action -...

4.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/17 7:12 a.m.21 views

XSS vulnerabilities in insert image and link actions

In 2.7.x, the following URL's are vulnerable: - /users/insertlink.action - /users/insertlink-page-attachmentstab.action - /users/insertlink-page-uploadfile.action - /users/insertlink-draft-attachmentstab.action - /users/insertlink-draft-uploadfile.action - /users/doinsertimageinpage.action -...

4.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/13 1:29 p.m.21 views

Watchers can see comments that they are not supposed to see via email notifications

We have email notifications switched on for our live version of JIRA. If you watch an issue then you receive an email each time somebody comments on that issue. This email contains information about the issue including the comment that was added. This is great as it allows people to keep up to da...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/13 1:29 p.m.21 views

Watchers can see comments that they are not supposed to see via email notifications

We have email notifications switched on for our live version of JIRA. If you watch an issue then you receive an email each time somebody comments on that issue. This email contains information about the issue including the comment that was added. This is great as it allows people to keep up to da...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/13 1:29 p.m.21 views

Watchers can see comments that they are not supposed to see via email notifications

We have email notifications switched on for our live version of JIRA. If you watch an issue then you receive an email each time somebody comments on that issue. This email contains information about the issue including the comment that was added. This is great as it allows people to keep up to da...

1.5AI score
Exploits0
Atlassian
Atlassian
added 2008/02/08 2:18 p.m.21 views

Seperate label permissions from edit issue permission

In 3.11 the labels plugin changed so that manipulating labels required the "Edit Issue" permission. This drastically impacted our organizations workflow, as we'd just introduced labels in our previous upgrade, and we don't give "edit issues" to all users, but we do want all authenticated users to...

1.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/02/08 2:18 p.m.21 views

Seperate label permissions from edit issue permission

In 3.11 the labels plugin changed so that manipulating labels required the "Edit Issue" permission. This drastically impacted our organizations workflow, as we'd just introduced labels in our previous upgrade, and we don't give "edit issues" to all users, but we do want all authenticated users to...

1.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/02/07 6:4 a.m.21 views

Trusted authentication doesn't work for Confluence users with uppercase usernames

Trying to use the trusted authentication feature of the Jiraissues macro doesn't work when a user's username is uppercase. JIRA shows the following in its log: quote 2008-01-23 13:59:48,104 INFO STDOUT 2008-01-23 13:59:48,104 ajp-0.0.0.0-6103-8 WARN atlassian.seraph.filter.TrustedApplicationsFilt...

2.7AI score
Exploits0
Atlassian
Atlassian
added 2008/02/07 1:44 a.m.21 views

Moving an issue from a project with Issue Security to a project without does not clear out the security

To reproduce this issue, do the following: Create Project AAA Create Project BBB Create an Issue Level Security Scheme, and assign it to AAA only Create a Clone of the Default Field Configuration Scheme. Hide the field Security Level on the Cloned copy. Assign the Cloned copy to BBB. Create a New...

0.6AI score
Exploits0
Atlassian
Atlassian
added 2007/11/12 3:22 a.m.21 views

Bulk Move does not update the Security Level of subtasks

When doing a bulk move, Parent issues moved to a new project must take any subtasks with them. If the new project has a different Issue Security scheme, then issues should get the default issue security in the new project. Currently a bulk move will change the security setting of parent issues, b...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/10/22 6:2 a.m.21 views

Username upper case are not being restricted in some pages

Username must be created in lowercase in JIRA. At the moment, JIRA allows the username with the lowercase or uppercase letter in Login and Add Watcher pages. It should restrict the case-sensitive when the username is request from the login page or convert it to lower case. JIRA should have this...

3.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/10/17 12:34 a.m.21 views

Move velocity templates and other web resources into WEB-INF in the Confluence webapp

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-9730. panel It presents a small information leak, and is just tidier if we put all the internal stuff into WEB-INF...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/10/12 10:49 p.m.21 views

Security Issue: XSS in wiki exception error page

The confluence wiki does contain a XSS possibility in the exception error page. The user input string is NOT output encoded at following lines: a - - Query String: url=alertdocument.cookie b - javax.servlet.forward.querystring : url=alertdocument.cookie c - atlassian.core.seraph.original.url :...

6AI score
Exploits0
Atlassian
Atlassian
added 2007/09/25 8:45 p.m.21 views

Cross-site scripting vulnerability in /dashboard.action

The test successfully embedded a script in the response, which will be executed once the page is loaded in the user's browser. This means that the application is vulnerable to the Cross-Site Scripting attack. 1 of 3 Cross-Site Scripting in Parameter Name Severity: High Test Type: Application...

5.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/09/13 8:15 a.m.21 views

XSS Bug in printable link display

A Cross sites scripting vulnerability exists in macro used to render the 'printable' link. Here is an exploit for the vulnerability that works https://servername/wiki/display/a/2007/09/%22%3E%3Cscript%3Ealert'Watchfire%20XSS%20Test%20Successful'%3C/script%3E Bug was found using APPScan...

6.7AI score
Exploits0
Atlassian
Atlassian
added 2007/08/28 5:57 a.m.21 views

Unwanted Access to File System via Import Pages Functionality

security vulnerability found in Confluence 2.5.6 Space administrator can use the "Import Pages from Disk" feature to browse the server file system by pointing the importer at "/" folder or any other folder. Because this folder doesn't contain expected files, an error message is displayed,...

1.1AI score
Exploits0
Atlassian
Atlassian
added 2007/08/02 10:47 p.m.21 views

Max label limit can be passed by adding labels via ajax

For CONF-8978, limits were implemented on how many labels can be added in one submit by various "add label" screens, and how many labels can be set on an edit page/edit news screen. However, there is nothing to prevent extra labels being added by the "add label" screens beyond the number allowed ...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/17 12:59 a.m.21 views

XSS vulnerability: space name and key not validated nor escaped

Email sent from Igor: quote The problem: The input for space name and key is not being validated properly. I created a JIRA for lacking length validation CONF-8894 and later on I noticed that any characters in the input for space name are allowed. Combine that with another batch of bugs - space...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/11 12:37 a.m.21 views

Security issue: user can copy page with only view permissions

I have a user who only has view permissions to a space. Logging on as that user, I went to the Info tab of a page. The Copy operation appeared, and I was able click the link, edit the copied page, and save it. This must be a security hole?...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/06/14 8:55 a.m.21 views

CommentService validation methods do not check user's security level

The validateCommentUpdate, hasPermissionToUpdate and hasPermissionToDelete methods on DefaultCommentService check the user's comment-related permissions but neglect to check whether they have a role/group security level viewable by the user attempting to delete a comment...

2.9AI score
Exploits0
Atlassian
Atlassian
added 2007/05/18 6:7 p.m.21 views

Assign Groups to Project Role screen allows entry of users as groups

When assigning groups to a project role, the screen allows the user to specify a group that is really a user name...

2.5AI score
Exploits0
Atlassian
Atlassian
added 2007/04/13 1:58 a.m.21 views

Authentication via os_username and os_password URL params is broken

Logging in by specifying username/password in the URL like this: noformathttp://jira.atlassian.com/browse/XYZ-114?decorator=none&view=rss&osusername=LOGIN&ospassword=PASSWORDnoformat used to work. tested with JIRA 3.6.3 Now you get presented with an undecorated "not logged in" message. This issue...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/03/21 11:3 p.m.21 views

Make anonymiser more strict about the translation of values

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-12420. panel the anonymiser replaces letter and number characters in string values during xml backup. A more strict anonymiser would replace...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/03/21 4:40 a.m.22 views

Deleting a custom field which has an issue security scheme or permission scheme on it causes system error

A custom field with an issue security scheme based on it is deleted. A subsequent search on a issue under this security scheme causes a system error...

1.4AI score
Exploits0
Atlassian
Atlassian
added 2006/11/29 8:6 a.m.21 views

Directory listing enabled on Tomcat

Tomcat has directory listing enabled by default. This allows browsing directories such as /images/. It seems that the filters do not take action in preventing the unauthorized access. When directory listing is disabled /conf/web.xml in Tomcat directory Jira gives 404 errors. See...

3.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/11/03 3:17 a.m.21 views

Project admin is presented with an option to select a Screen Scheme

The option of changing the scheme should only be given to the global admins...

1.4AI score
Exploits0
Atlassian
Atlassian
added 2005/05/04 4:22 a.m.21 views

LDAP authentication falls back to database check when password is incorrect

If a user is present in LDAP, but the entered password is incorrect, JIRA ought to immediately fail to authenticate them. Instead in 3.2-beta it delegates to the database, and checks the password there...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/05/04 4:22 a.m.21 views

LDAP authentication falls back to database check when password is incorrect

If a user is present in LDAP, but the entered password is incorrect, JIRA ought to immediately fail to authenticate them. Instead in 3.2-beta it delegates to the database, and checks the password there...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/11/14 11:3 p.m.21 views

Encrypt all passwords stored on the file system

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-2146. panel Passwords are not encrypted in confluence-mail.cfg.xml nor in confluence.cfg.xml; they should be. Resolve an...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/06/29 10:11 p.m.21 views

Spam-protection

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-1469. panel We need something like MT-Blacklist: the ability to define URL patterns that flag a page and/or comment as spam. It...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/06/02 6:55 a.m.20 views

Restricted page for a user is getting displayed in "Recently Updated" macro.

h3. Issue Summary Restricted page for a user is getting displayed in "Recently Updated" macro. h3. Steps to Reproduce In confluence 10.2.x create 3 normal users user01, user02, user03. Create a sample space using admin user. Create a page using admin user and add "Recently Updated" macro. Switch ...

5.8AI score
Exploits0
Atlassian
Atlassian
added 2026/05/11 11:29 p.m.20 views

DoS (Denial of Service) at postgresql dependency in Crucible Server

This High severity DoS Denial of Service vulnerability was introduced in version 4.9.0 of Crucible Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to cause a resource to...

7.5CVSS5.7AI score0.0077EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.20 views

File Inclusion in Jira Service Management Data Center

This High severity File Inclusion vulnerability was introduced in versions 5.15.2, 5.16.1, 5.17.0, 10.0.0, 10.1.2, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.0 of Jira Service Management Data Center. This File Inclusion vulnerability, with a CVSS Score of 7.1...

7.1CVSS6.8AI score0.00288EPSS
Exploits1
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.20 views

DoS (Denial of Service) in Jira Software Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.15.2, 9.16.0, 9.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.0 of Jira Software Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of...

7.5CVSS6.3AI score0.0043EPSS
Exploits0
Atlassian
Atlassian
added 2026/05/05 4:29 p.m.20 views

DoS (Denial of Service) in Jira Service Management Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 5.17.2, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.1, 10.6.0, 10.7.2, 11.0.0, 11.1.0, 11.2.0, and 11.3.0 of Jira Service Management Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 a...

7.5CVSS6.9AI score0.02591EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/16 9:50 p.m.20 views

DoS (Denial of Service) com.squareup.okio:okio Dependency in Jira Software Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.12.1, 10.3.0 not all patched versions - see the fix and affects versions field and 11.3.0 of Jira Software Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.7AI score0.01077EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/16 4:38 p.m.20 views

DoS (Denial of Service) brace-expansion Dependency in Jira Software Data Center

This is a vulnerability in a non-Atlassian Jira dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This High severity DoS Denial of Service vulnerability was introduced in versions 10.3.0 and 11.3.0 of Jira Software Data Center. This DoS Denial of...

9.2CVSS5.6AI score0.00481EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/11 10:29 a.m.20 views

File Inclusion node-tar Dependency in Confluence Data Center

This High severity File Inclusion vulnerability was introduced in versions 8.9.0, 9.0.1, 9.0.3, 9.1.0, 9.2.5, 9.5.1, 10.1.2 and 10.2.0 of Confluence Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of...

8.2CVSS5.9AI score0.00253EPSS
Exploits4
Atlassian
Atlassian
added 2026/04/08 4:29 a.m.20 views

DoS (Denial of Service) valibot Dependency in Confluence Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.1.1, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.1.2, and 10.2.0 of Confluence Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H...

7.5CVSS5.7AI score0.00289EPSS
Exploits0
Atlassian
Atlassian
added 2026/04/08 4:29 a.m.20 views

File Inclusion node-tar Dependency in Confluence Data Center

This High severity File Inclusion vulnerability was introduced in versions 8.9.0, 9.0.1, 9.0.3, 9.1.0, 9.2.5, 9.5.1, 10.1.2, and 10.2.0 of Confluence Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of...

8.2CVSS7.2AI score0.00334EPSS
Exploits2
Atlassian
Atlassian
added 2026/04/08 4:29 a.m.20 views

Path Traversal (Arbitrary Write) node-tar Dependency in Confluence Data Center

This High severity Path Traversal vulnerability was introduced in versions 8.9.0, 9.0.1, 9.0.3, 9.1.0, 9.2.5, 9.5.1, 10.1.2, and 10.2.0 of Confluence Data Center. This Path Traversal vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L allows a...

8.8CVSS5.8AI score0.00233EPSS
Exploits1
Atlassian
Atlassian
added 2026/04/08 4:29 a.m.20 views

DOM-based XSS @remix-run/router Dependency in Confluence Data Center

This High severity DOM-based XSS vulnerability was introduced in versions 9.0.1, 9.0.3, 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This DOM-based XSS vulnerability, with a CVSS Score of 8 and a CVSS Vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A...

8CVSS7.6AI score0.0077EPSS
Exploits0
Atlassian
Atlassian
added 2026/03/06 5:29 a.m.20 views

Path Traversal node-tar Dependency in Jira Service Management Data Center

This High severity Path Traversal vulnerability was introduced in versions 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.1 of Jira Service Management Data Center. This Path Traversal vulnerability, with a CVSS Score of 8.8...

8.8CVSS5.8AI score0.00233EPSS
Exploits1
Atlassian
Atlassian
added 2026/03/06 5:28 a.m.20 views

File Inclusion node-tar Dependency in Jira Service Management Data Center

This High severity File Inclusion vulnerability was introduced in versions 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.1 of Jira Service Management Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2...

8.2CVSS5.9AI score0.00334EPSS
Exploits2
Atlassian
Atlassian
added 2026/02/13 11:45 a.m.20 views

CVE-2025-68493 impact on Bamboo

h3. Issue Summary Impact of CVE-2025-68493 in Bamboo https://cwiki.apache.org/confluence/display/WW/S2-069 Parsing of XML configuration in XWork component does not validate XML in proper way and it's vulnerable to XML external entity XXE injection. h3. Steps to Reproduce ||Impact of...

8.1CVSS5.9AI score0.23054EPSS
Exploits1
Atlassian
Atlassian
added 2026/02/11 5:28 p.m.20 views

DoS (Denial of Service) in Confluence Data Center and Server

This High severity DoS Denial of Service vulnerability known as CVE-2022-25883 was introduced in versions 8.5 of Confluence Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS5.5AI score0.02761EPSS
Exploits1
Atlassian
Atlassian
added 2026/02/11 4:29 p.m.20 views

DoS (Denial of Service) in Confluence Data Center and Server

This High severity DoS Denial of Service vulnerability known as CVE-2020-28469 was introduced in versions 7.19 of Confluence Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS5.5AI score0.04456EPSS
Exploits1
Atlassian
Atlassian
added 2026/01/30 7:27 p.m.20 views

RCE (Remote Code Execution) commons-beanutils Dependency in Crowd Data Center and Server

This High severity RCE Remote Code Execution vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H allows an authenticated attacker to...

8.8CVSS6.3AI score0.01548EPSS
Exploits1
Atlassian
Atlassian
added 2026/01/20 7:3 a.m.20 views

Injection cipher-base Dependency in Jira Service Management Data Center and Server

This High severity Injection vulnerability was introduced in versions 10.3.0, 11.0.0, 11.1.0, and 11.2.0 of Jira Service Management Data Center and Server. This Injection vulnerability, with a CVSS Score of 7.4 and a CVSS Vector of code:java CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:Hcode allows...

9.1CVSS5.6AI score0.0047EPSS
Exploits1
Total number of security vulnerabilities4295