Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2020/04/02 4:28 a.m.110 views

Stored XSS in Add Field module - CVE-2019-20900

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the Add Field module. Affected versions: version 8.7.0 Fixed versions: 8.7.0...

4.8CVSS5.2AI score0.00918EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.110 views

Information disclosure in the listEntityLinks servlet resource of the Application links plugin - CVE-2019-15011

The version of the Application Links plugin used in Confluence before version 6.13.6, from version 6.14.0 before version 6.15.5, and from version 7.0.0 before 7.0.1 allows remote attackers to obtain information about configured application links via a missing permissions check. See...

4.3CVSS2.3AI score0.00915EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/07/09 2:59 a.m.110 views

Git downloads over HTTP

SourceTree downloads the standalone Git and every other zips over HTTP from the Atlassian servers. This is not secure and should be switched to HTTPS...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/02/26 7:31 a.m.110 views

JQL filter for Webhooks doesn't work correctly when "Comment" and "Worklog" related events are fired - CVE-2017-18104

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-59980. panel h3. Security information The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version...

5.9CVSS2.2AI score0.016EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2021/08/27 3:55 a.m.109 views

RCE on Confluence Data Center via OGNL Injection - CVE-2021-39114

A user with a valid account on a Confluence Server or Data Center instance is able to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6,...

8.8CVSS6.2AI score0.01657EPSS
Exploits0
Atlassian
Atlassian
added 2020/09/16 3:8 a.m.109 views

User Enumeration via /QueryComponentRendererValue!Default.jspa endpoint - CVE-2020-36289

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. This vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies. The...

5.3CVSS3.6AI score0.99209EPSS
Exploits1
Atlassian
Atlassian
added 2016/07/20 8:22 a.m.109 views

Upgrade commons-fileupload to version >= 1.3.2

This is to mitigate CVE-2016-3092 See https://vulners.com/cve/CVE-2016-3092 for details...

7.8CVSS7.8AI score0.35927EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/09/07 7:28 a.m.108 views

DoS (Denial of Service) in Confluence Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in version 5.6 of Confluence Data Center and Server. With a CVSS Score of 7.5, this vulnerability allows an unauthenticated attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely...

7.6AI score
Exploits0
Atlassian
Atlassian
added 2023/02/03 5:50 a.m.108 views

Information Disclosure via QueryCompenentRenderer API

Affected versions of Atlassian Jira Server and Data Centre allowed an unauthenticated remote attacker to fetch Issue,Project and Sprint information via Information Disclosure Vulnerability via "/secure/QueryComponentRendererValue!Default.jspa" endpoint. Affected versions: version 9.5.1 Fixed...

6.4AI score
Exploits0
Atlassian
Atlassian
added 2021/11/02 11:0 p.m.108 views

Unicode characters allow malicious code to be hidden from a human reviewer (Bamboo) - CVE-2021-42574

Researchers at the University of Cambridge reported a vulnerability affecting Bamboo where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or cod...

8.3CVSS3.4AI score0.12205EPSS
Exploits4
Atlassian
Atlassian
added 2021/07/14 11:35 a.m.108 views

Upgrade the bundled version of Apache Tomcat to 8.5.68 or later

h3. Issue Summary The recently disclosed vulnerability regarding Apache Tomcat CVE-2021-33037|https://vulners.com/cve/CVE-2021-33037, CVE-2021-33037|https://nvd.nist.gov/vuln/detail/CVE-2021-33037 Base Score: 5.3 MEDIUM CVE-2021-42340|https://vulners.com/cve/CVE-2021-42340 NVD score not yet...

7.5CVSS6.5AI score0.75353EPSS
Exploits16Affected Software1
Atlassian
Atlassian
added 2019/04/29 3:47 a.m.108 views

Authorisation bypass in the ViewUpgrades resource - CVE-2019-8443

The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to...

8.1CVSS6.1AI score0.02618EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/09/12 6:53 a.m.108 views

CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

The Confluence HipChat plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your Confluence instance you must have a HipChat integration established. To exploit this issue, attackers need to have access to a Confluen...

7.5CVSS0.9AI score0.03712EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2024/09/03 4:6 p.m.107 views

org.springframework:spring-web used by Jira 9 contains vulnerabilities

Jira 9 and possibly the upcoming Jira 10 are affected by CVE-2024-38808. https://spring.io/security/cve-2024-38808 https://asecurityteam.atlassian.net/browse/VULN-1409329...

4.3CVSS6.7AI score0.00536EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/02/03 10:45 p.m.107 views

Update application links to 5.4.23 to fix CVE-2020-5398

Affected versions of Atlassian FishEye and Crucible allow remote attackers to view sensitive information via an Information Disclosure vulnerability in a vulnerable version of the Application Links component. The affected versions are before version 4.8.6. Affected versions: version 4.8.6 Fixed...

8CVSS5AI score0.88077EPSS
Exploits2Affected Software1
Atlassian
Atlassian
added 2020/02/05 4:3 p.m.107 views

CSRF in VerifyPopServerConnection!add.jspa - CVE-2019-20099

The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery CSRF. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerat...

4.3CVSS2.8AI score0.00743EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2020/01/15 3:29 p.m.107 views

Upgrade Tomcat to 8.5.50 to fix CVE-2019-17563 & CVE-2019-12418

h3. Issue Summary The recently disclosed vulnerabilities regarding Apache Tomcat CVE-2019-12418|https://vulners.com/cve/CVE-2019-12418 CVE-2019-17563|https://vulners.com/cve/CVE-2019-17563 Which affects the following versions: Apache Tomcat 8.x from 8.5.0 before 8.5.50 We should bundle a more...

7.5CVSS8AI score0.10687EPSS
Exploits0
Atlassian
Atlassian
added 2019/12/17 4:10 a.m.108 views

Information disclosure in the listEntityLinks servlet resource of the Application links plugin - CVE-2019-15011

The version of the Application Links plugin used in Fisheye before version 4.7.1 allows remote attackers to obtain information about configured application links via a missing permissions check. See https://ecosystem.atlassian.net/browse/APL-1386 for more details...

4.3CVSS2.9AI score0.00915EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/07/17 7:43 a.m.107 views

XSS in review dashboard through a custom filter title - CVE-2017-9507

The review dashboard resource in Atlassian Crucible from version 4.1.0 before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the review filter title parameter...

5.4CVSS4.1AI score0.00818EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/02/13 4:43 a.m.107 views

Multiple Vulnerabilities in JIRA Workflow Servlet

||Affected Versions|| |4.2.4 = version 6.3.0| An anonymous user can perform multiple attacks on a vulnerable JIRA instance that could cause remote code execution, the disclosure of private files or execute a denial of service attack against the JIRA server. This vulnerability is caused by the way...

9.8CVSS4.6AI score0.16239EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2020/04/19 11:32 p.m.106 views

XSS in XML export view - CVE-2020-4021

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the XML export view. Affected versions: version 7.13.16 8.0.0 ≤ version 8.5.5 8.6.0 ≤ version 8.8.1 Fixed versions: 7.13.16 8.5....

5.4CVSS5.6AI score0.01003EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/04/02 1:51 a.m.106 views

XSS via project configuration - CVE-2019-20416

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the project configuration feature. Affected versions: version 8.3.0 Fixed versions: 8.3.0...

4.8CVSS5.5AI score0.0059EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/08/01 4:1 a.m.106 views

Macro browser breaks https secure connection

h3. Issue Summary Macro browser loads http insecure resources including a data:image/png and a testing mocking resource http://example.com/bla-bla-bla h3. Environment Optional - If Applicable h3. Steps to Reproduce Create a page Open macro browser h3. Expected Results Connection remains secure h3...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2023/05/17 6:46 a.m.105 views

Upgrade spring-core for CVE-2023-20860

h3. Issue Summary Bitbucket Server/DC includes the following two libraries, which may be vulnerable to CVE-2023-20860|https://vulners.com/cve/CVE-2023-20860: /app/WEB-INF/lib/spring-core-5.3.23.jar /opensearch/plugins/opensearch-sql/spring-core-5.3.22.jar Bitbucket isn't known to be vulnerable, b...

7.5CVSS6.7AI score0.03514EPSS
Exploits1
Atlassian
Atlassian
added 2018/03/02 6:55 p.m.105 views

Stored XSS in Confluence / Links in Code Block

This is reported from bugcrowd: publish code block with content single quotes included: 'https://w3.org/"style="width:100%;height:100%;position:fixed;left:0;top:0"onmousemove=alert1//' That should work both in comment and article sections...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2016/07/07 4:22 a.m.105 views

CVE-2016-5229 - Deserialisation resulting in remote code execution caused by insufficient restriction on permitted deserialised classes

Bamboo had a resource that deserialised input from build agents and did not sufficiently restrict which classes could be deserialised. To exploit this issue, attackers need to have a valid Bamboo agent fingerprint or be able to run code on a Bamboo agent. Affected versions: All versions of Bamboo...

9.8CVSS3.9AI score0.0709EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/10/12 4:26 a.m.105 views

CVE-2015-6576: Deserialisation Resulting in Remote Code Execution Vulnerability

Bamboo had a resource that deserialised arbitrary user input without restriction. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. To exploit this issue, attackers need to be able to access the Bamboo web interface...

8.8CVSS4.4AI score0.03618EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/06/19 6:43 a.m.104 views

Denial of Service attack through vulnerable Xerces-J library

quote There is WebDav endpoint that is accessible via following URL - https://pwnie.ninja/confluence/plugins/servlet/confluence/default . It is possible to pass XML as data for PROPFIND request. Following python code will generate XML with long pseudo-attribute name that exploits CVE-2013-4002...

7.1CVSS1AI score0.24738EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2022/01/11 12:37 p.m.103 views

[BUG] Unauthenticated issues enumeration through API

I detected that in JIRA onprem with API REST exposed an attacker that knows or discover the name of a project can enumerate the issues that exists related to the project. All of this without logged in on JIRA or any credentials. The response of the server changes when the issue exists on the...

0.8AI score
Exploits0
Atlassian
Atlassian
added 2018/01/12 4:33 a.m.103 views

XSS through the orderby parameter in the issue search resource - CVE-2017-16864

The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the orderby parameter...

6.1CVSS5.7AI score0.01165EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/03/10 4:57 a.m.103 views

Apache Struts 2 Remote Code Execution (CVE-2017-5638)

Description Bamboo used a version of Struts 2 that was vulnerable to CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo Affected versions: All versions o...

10CVSS1.5AI score0.99999EPSS
Exploits44
Atlassian
Atlassian
added 2021/02/03 10:53 p.m.102 views

Stored XSS via Custom Fields on Screens Modal - CVE-2020-36234

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14...

4.8CVSS4.4AI score0.01015EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2020/03/18 4:2 p.m.102 views

Opening 404 page (page not found) without user session will open 404 page instead of opening login page.

h3. Issue Summary Opening a random page on Confluence with a user that is not authenticated will display "Page not found" 404 page instead of the login page. h3. Steps to Reproduce Make sure you are not logged in. Try to open BaseURL/ABC h3. Expected Results As you do not have session information...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2015/07/15 1:35 a.m.102 views

Update Java version bundled found in the installer to a version >= 1.8u51

Update the bundled version of java to a version = 1.8u51 1.8 update 51, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html. Included in the security fixes is a fix for logjam CVE-2015-4000...

4.3CVSS1.8AI score0.9986EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2013/06/19 9:30 a.m.102 views

Upgrade bundled Tomcat to the latest minor release

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-33563. panel Customer did a Security Scan on the instance and founded the version 5.1.8 that he is using subjected to security vulnerabilitie...

5CVSS7.2AI score0.11975EPSS
Exploits3Affected Software1
Atlassian
Atlassian
added 2024/01/04 5:19 p.m.101 views

CVE-2023-48795 vulnerability on SSH

panel:title=Strict key exchange support|borderStyle=solid|borderColor=3c78b5|titleBGColor=3c78b5|bgColor=e7f4fa The server now supports strict key exchange in 8.9.10+ LTS, 8.13.6+, 8.14.5+, 8.15.4+, 8.16.3+, 8.17.1+ and 8.18.0+. If old SSH clients that don't support strict key exchange are being...

5.9CVSS6.2AI score0.9378EPSS
Exploits4
Atlassian
Atlassian
added 2020/04/15 7:57 p.m.101 views

Stored XSS in Confluence Server via text/rdf

h3. Issue Summary There is a stored XSS in file upload functionality of Confluence Server 7.3.3. This XSS triggers only in Firefox. Bug Bounty An authenticated attacker can upload specially crafted attachment and achieve stored XSS. h3. Steps to Reproduce Go to any Confluence page Attach xss.txt...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/09/09 1:22 a.m.101 views

Template injection in Jira importers plugin - CVE-2019-15001

h3. Issue Summary There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin JIM. An attacker with "JIRA Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on...

9CVSS3AI score0.11366EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2019/04/29 3:14 a.m.101 views

XSS in WallboardServlet through the cyclePeriod parameter - CVE-2018-20824

The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the cyclePeriod parameter...

6.1CVSS4.2AI score0.37577EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/03/10 4:31 a.m.101 views

Apache Struts 2 Remote Code Execution (CVE-2017-5638)

Description Crowd used a version of Struts 2 that was vulnerable to CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Crowd. Affected versions: All versions of...

10CVSS1.4AI score0.99999EPSS
Exploits44
Atlassian
Atlassian
added 2020/08/18 4:44 p.m.100 views

Git submodules vulnerability in Sourcetree for Mac - CVE-2020-5260

There was a vulnerability in Sourcetree for macOS and windows that could reveal Git user credentials via maliciously crafted URL by an attacker, This vulnerability is triggered when the affected version of Git is used to execute a git clone command on a malicious URL. Affected versions of Atlassi...

9.3CVSS7.7AI score0.10047EPSS
Exploits2
Atlassian
Atlassian
added 2018/01/18 10:54 a.m.100 views

Missing permission check in review coverage REST endpoint - CVE-2017-18035

The /rest/review-coverage-chart/1.0/data//.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistic...

4.3CVSS5.3AI score0.00803EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2017/09/21 12:10 a.m.100 views

The bundled Atlassian Activity Streams plugin had Improper Access control inside several rest inline action resource resource - CVE-2017-9506

The version of the bundled Atlassian Activity Streams plugin was vulnerable to Improper Access control. This allowed remote authenticated attackers to watch any Confluence page & receive notifications when comments are added to the watched page, and vote & watch JIRA issues that they do not have...

6.1CVSS3.8AI score0.71601EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2021/08/16 3:40 a.m.99 views

Jira is affected by Tomcat CVE-2020-13943

Affected versions of Atlassian Jira Server and Data Center used versions of Apache Tomcat that were vulnerable to CVE-2020-13943|https://vulners.com/cve/CVE-2020-13943. The affected versions of Jira Server and Data Center are before version 8.5.14, from version 8.6.0 before 8.13.6, and from versi...

4.3CVSS4.8AI score0.57286EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/07/14 6:40 p.m.99 views

Anonymous users can view list of installed gadgets in Jira

h3. Issue Summary Endpoint "rest/config/1.0/directory" can be accessed anonymously. This page is an XML output that exposes the gadgets installed on the Jira instance. While there are not be any identifying information, user data, or anything else available to anonymous users if they hit this URL...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2021/02/22 11:35 a.m.99 views

Update Apache Struts 2 to avoid CVE-2020-17530

Update Apache Struts to 2.5.26 to avoid CVE-2020-17530|https://cwiki.apache.org/confluence/display/ww/s2-061...

9.8CVSS2.1AI score0.95922EPSS
Exploits11Affected Software1
Atlassian
Atlassian
added 2019/07/08 10:57 p.m.99 views

Address CVE-2019-11358 in the bundled version of jQuery

The bundled version of jQuery in Crucible before version 4.7.1 was vulnerable to CVE-2019-11358 https://nvd.nist.gov/vuln/detail/CVE-2019-11358. This was fixed by patching the version of jQuery bundled with Crucible...

6.1CVSS2AI score0.87218EPSS
Exploits4Affected Software1
Atlassian
Atlassian
added 2015/07/15 1:43 a.m.99 views

Update Java version bundled found in the installer to a version >= 1.8u51

Update the bundled version of java to a version = 1.8u51 1.8 update 51, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html. Included in the security fixes is a fix for logjam CVE-2015-4000...

4.3CVSS1.8AI score0.9986EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2015/07/15 1:35 a.m.99 views

Update Java version bundled found in the installer to a version >= 1.8u51

Update the bundled version of java to a version = 1.8u51 1.8 update 51, which fixes many security issues http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html. Included in the security fixes is a fix for logjam CVE-2015-4000...

4.3CVSS1.8AI score0.9986EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2013/06/19 9:30 a.m.99 views

Upgrade bundled Tomcat to the latest minor release

Customer did a Security Scan on the instance and founded the version 5.1.8 that he is using subjected to security vulnerabilities on bundled tomcat which is version 6.0.35. Security Vulnerabilities Information: http://tomcat.apache.org/security-6.htmlFixedinApacheTomcat6.0.36 So customer...

5CVSS7.1AI score0.11975EPSS
Exploits3Affected Software1
Total number of security vulnerabilities4295