4295 matches found
OAuth Administration screen is visible to anonymous users
If anonymous user access is enabled under "Global Permission", user can access to "OAuth Administration" page without the need to log-in. Here is the URL to the page: /plugins/servlet/oauth/view-consumer-info This page display Confluence administrators menu on the sidebar and other information su...
Resource file path traversal in WebImagesDownloadResourceManager
To reproduce: 1. Create a new page named foo any name can be used, but it must match the markup in step 3 2. In the editor, create an unmigrated-wiki-markup macro by typing "\a" don't copy/paste 3. Replace the "\a" in the macro with: code:none foo|foo|" code 4. Save the page. 5. Export to word...
Arbitrary file or URL download in ExportWordPageServer
To reproduce: 1. Create a new page. 2. Insert an image with URL: code:none file:///etc/passwd code Edit the page, click +, click Image, select the From the Web tab, enter the file: URL shown above, click Insert, click Save. The image appears invisible on some browsers, but you can verify its...
getRedirect in JiraWebActionSupport redirects to unsafe URLs by default
In jira-components/jira-api/src/main/java/com/atlassian/jira/web/action/JiraWebActionSupport.java the following code is found: code:java / Redirects to the value of @code getReturnUrl, falling back to @code defaultUrl if the @code returnUrl is not set. This method clears the @code returnUrl. If...
Moving pages around spaces using HTTP get without XSRF token
Seems like you can easily move pages around spaces by just hitting the movepage action using GET, like this: http://localhost:8080/confluence/pages/movepage.action?pageId=787055&position=topLevel&spaceKey=S2 Malicious example of how to exploit this in an email message: after opening the email, th...
'self' xss reported in a question's moderate
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-47423. panel We have received an external report of a dom xss in the moderation code for a question on answers.atlassian.com...
/rest/menu/1.0/appswitcher displays data unauthenticated
"Calling" this function returns data without any authentication required: noformat curl https://support.atlassian.com/rest/menu/latest/appswitcher | python -mjson.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 787 0 787 0 0 531 0...
Convert the SecurityHeadersInterceptor into a filter that applies to /*
The X-XSS-Protection HTTP header should be sent on all responses with a value of "1; mode=block". As the current implementation is done in an interceptor0 it is possible for some resources to be sent without the X-XSS-Protection header. 0 SecurityHeadersInterceptor is in the default interceptor...
Reflected XSS in JIRA Admin Panel (Delete User)
The 'name' param in jira-components/jira-webapp/src/main/webapp/secure/admin/user/views/deleteuserconfirm.jsp is not sanitised, enabling arbitrary html/script execution. A url to demonstrate this issue is:...
OGNL double evaluation in atlassian-xwork
We have fixed a vulnerability in our version of Xwork. In specific circumstances, attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Confluence web interface. A valid user account is not...
Page Properties Report showing restricted items
Pages using the Page Properties control that are restricted, still display in a page with the Page Properties Report control when they should not. To clarify: A page with the Page Properties Report control that is unrestricted, shows all of the relevant pages within it. However a few of the pages...
Restricted Work Log entries show in the Activity Stream in JIRA Server
h3. Summary When using a group comment visibility on worklogs the restriction is not applied in the Activity Stream. h3. Steps to Reproduce Set up a test user JIRA Users. Enable comment visibility to support groups as per Configuring JIRA...
Elevation of global permission from Administrator to System administrator
With "Administrator" permission I go to the global permissions page http://:7990/admin/permissions. 1. Type in the name of another user without any global permissions. 2. Select "System Administrator" as permission. 3. Press save. Expected result: Stash would deny me creating a "System...
Elevation of global permission from Administrator to System administrator
With "Administrator" permission I go to the global permissions page http://:7990/admin/permissions. 1. Type in the name of another user without any global permissions. 2. Select "System Administrator" as permission. 3. Press save. Expected result: Stash would deny me creating a "System...
View Content Permission Set not Complete.
The Content Permission Set returned from the method getViewContentPermissions is incomplete. It appears to only contain a single ContentPermission object regardless of how many View permisisons have been attached to a Page. 1 Create a new page 2 Assign a View restriction for 1 group 3 Assign View...
Passwords of configured SMTP mail accounts are stored in cleartext
Passwords for configured mail accounts are stored in clear text in the database as can be seen e.g. by: code SELECT FROM BANDANA WHERE BANDANAKEY = 'atlassian.confluence.space.mailaccounts'; code Even when being an admin I should NOT be able to read-out other users email account password! This...
https://jira.atlassian.com/500page.jsp
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-33042. panel this page shows all the data about JIRA instance to intruder. It makes it more vulnerable when you know the whole setup...
SPAM via Answer
I have received an email notification containing a link as an aswer one of my questions. It turns out that a spam. I went online check my question and saw that the answer is not on it. So I believe this is very serious issue as we all trust and gave some personal information to Atlassian. Please...
SSL Enabled but some link point to http:// instead of https://
This scenario will happen if enable both HTTP8090 and HTTPS8433 and 'Server Base Url' is set to HTTP. Reproduce procedures 1. Access confluence via HTTPS 2. Click menu 'Space' at the top menu 3. At 'Space Directory' page, click any of the menu at the left side eg. All spaces etc. then click link ...
Workbox (Notifications and Tasks) leaks restricted information from a jira issue
If a confluence instance is configured to pull notifications from a JIRA server then if a user 'B' not in group 'A' watches an issue and a comment is added to the issue restricted to group 'A' then user 'B' is able to see the contents of the restricted comment via the "Notifications and Tasks"...
Security enhancement: do not allow POST parameters to be used in GETs
My company's security team ran a vulnerability scan against our JIRA and found this issue. They advised me to bring it to your attention as an opportunity to improve security. Summary: quote Some web frameworks collapse the POST and GET parameters into a single collection. This is a flawed design...
Anonymous users can see page restriction data, exposing user ids and group names
If an user navigates to a page that has any kind of individual "editing" restriction but is of public view and then clicks on the padlock icon, he or she will see the Names, Uids of the users who are mentioned in the "edit" restriction or any groups part if the restriction. We think it is wrong t...
Webwork direct method invocation can bypass validatingStack through Action aliases
WebWork supports the concept of action aliases, which allow a single action class to serve requests mapping to different names. This allows a developer to reuse the same action logic, but provide different results based on interceptors. When an action is invoked, Webwork will typically call its...
Inactive users still receiving emails from "Send email" function
The JIRA documentation for deactivating users says, bq. Will not receive any email notifications from JIRA, even if they continue to remain the assignee, reporter, or watchers of issues. However, when users have been marked as inactive they are not excluded from emails sent to groups via the 'Sen...
persistent xss in a user's username within mentions within comments
A user's username is injected into the "rel" attribute of the user mention link without being encoded properly. This means that if the username contains a " character then new attributes can be injected into the user mention link element. Hence, providing a persistent xss vector. To reproduce thi...
Session-timeout not being respected
As per the following KB I made changes that should have seen timeout reduced to 2 minutes. https://confluence.atlassian.com/pages/viewpage.action?pageId=126910597 in /confluence/WEB-INF/web.xml code 2 code I can't force Confluence to have a session timeout. This issue has been reproduced on first...
User email showing in suggestions section with visibility set to hidden
Assignee user-picker shows user email in Suggestions section, with User Email Visibility set to hidden. Steps to reproduce: Email Visibility set to show user emails Assign issue to test user Set Email Visibility to Hidden Go to assign issue and search for user in the Assignee field Previous...
Reflected XSS within the username parameter of the /user/non-system/{username} rest resource
The confluence-rest-plugin has a rest resource to look up "non-system" users which takes in a username. If given username supplied is not found then it is included in an xml error message without being xml encoded and thus is a XSS vector. That is, and other such xml special characters are not...
Turning off Anti-XSRF protection for comments has no effect
Turning off Anti-XSRF protection for comments does not have the desired effect. Even if the setting is turned off verified that the setting is saved in the BANDANA table, adding comments is not possible, due to an XSRF warning. This is also covered in more details on this KB:...
Session ID and remember me cookie should expire when LDAP user password is changed
Steps to reproduce Login as a normal Confluence user In another browser or in incognito mode, login as system administrator Go to Confluence Admin Manage Users and click on the user Click Set Password and set a different password for this user Refresh the page and the user can still access the pa...
As a JIRA System Administrator, I can instruct web browsers to not allow saving a user's password in the various login options, so that unauthorized users can not access the system.
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-29447. panel In some organisations, as part of a set of security requirements, it is required for compliant applications, to disallow users t...
Persistent xss flaw in the revision history (of comments).
Whilst a comment is html encoded /sanitized when displayed within an answer to a question the revision history page for an edited comment does not sanitize or html encode the content of the current and previous comments. Therefore an attacker can exploit this issue to craft a persistent xss attac...
persistent xss vulnerability through uploaded files in IE8/9
It is possible to upload a number of file types checked by extension to an answers instance and then download them later. Internet Explorer8/9 sniffs text/plain and some other content-types downloads to determine the 'content-type' to use. This means that a text/plain content-type file in interne...
persistent xss vulnerability through uploaded files in IE8/9
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46953. panel It is possible to upload a number of file types checked by extension to an answers instance and then download them...
persistent xss vulnerability through uploaded files in IE8/9
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46953. panel It is possible to upload a number of file types checked by extension to an answers instance and then download them...
XSS (reflected) in fieldsKeys parameter of GHCreateNewIssue.jspa
Targets: https://test01.jira-dev.com/secure/GHCreateNewIssue.jspa?key=&issueType=7&fieldsKeys=priority,customfield10006,summary,fixVersions,components,customfield10005,assignee,customfield10004,reporter,customfield100039fd29alert'XSS'15d31825f8e9d6606&fieldsValues=1@%@...
XSS (reflected) in rankVMID parameter of GetRankPage.jspa
As per https://sdog.jira.com/browse/JSTDEV-2110 Targets:...
The csrf token cookie should be a 'secure' cookie like the sessionid cookie
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46613. panel That is that csrf token cookie 'csrftoken' should have the 'secure' attribute like the session cookie. In django 1....
Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-26049. panel h5. Note - as of Confluence 5.1.3 you can make an SSL LDAP connection that doesn't verify that the hostname and...
XSS vulnerability in the "move" page action with html/js in the page name
There is an persistent xss vector in the 'move' page action on a page, where the javascript/html payload is included in the name of the page. Steps to reproduce: 1.create a page named: "''/'kasdfjas'dfasdf 2. on the page click on the "move" option under the tools drop-down menu 3. see an alert bo...
XSS vulnerability in the "move" page action with html/js in the page name
There is an persistent xss vector in the 'move' page action on a page, where the javascript/html payload is included in the name of the page. Steps to reproduce: 1.create a page named: "''/'kasdfjas'dfasdf 2. on the page click on the "move" option under the tools drop-down menu 3. see an alert bo...
Password Reset doesn't recognise spaces in usernames
When I enter my new password and submit the page, it responds with a message about the username 'philip', but my username is 'philip widan'. There was a similar issue with the Bonfire plugin, which required an upgrade to JIRA v5 to resolve. The URL I clicked on to get to the password reset page...
persistent xss through flash swf file attachment download
It is possible to upload a flash swf file which when the attachment 'download' url is visited the flash swf file is executed in the browser and as such can use ExternalInterface.call method to inject javascript defined in the swf file into the browser...
multimedia macro allows execution of arbitrary scripts
The multimedia macro in confluence embeds a swf without the 'allowScriptAccess' attribute set to 'none'. This allows the embedded user submitted swf to execute arbitrary javascript on the page, constituting an XSS vulnerability. The multimedia tag is bundled in with the base product and not an...
persistent xss through svg file attachment download
The fix for CONF-22132 was not sufficient because "svg" files are not "said" to be xml by the isXml method. This means that is possible for a malicious party to upload a svg file containing html/javascript which will be rendered in victim's web browser. This bug should have been raised a while ag...
Several REST interfaces vulnerable to XSRF
Several REST web services are vulnerable to XSRF|https://www.owasp.org/index.php/Cross-SiteRequestForgeryCSRF, allowing malicious web pages to execute them under the context of a logged in users browser. It's understood that JIRA REST interfaces are typically protected against XSRF based on the...
ConsumerConfigurationServlet Open Redirect
The ConsumerConfigurationServlet servlet has an open redirect vulnerability in the doGet method that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated...
'/users/userpicker.action' exposes users loginids and full names in instance with anonymous access enabled
quote LDAP directory users and groups exposed via the /users/userpicker.action. There should be an option to restrict this to authenticated users only and perhaps this should be the default behavior. quote quote The second exposed function that is part of this vulnerability is...
admin/fixcwdmemberships.jsp lacks an XSRF token to run the repair action.
admin/fixcwdmemberships.jsp does not require a csrf token to run the repair action. When fixing this issue, please ensure that the JSP is converted to an action or deleted - we don't want to have to maintain our XSRF infrastructure in JSPs...
admin/migratelocalgroups.jsp Atlassian Local Group Migration Recovery lacks an XSRF token to run the migration
admin/migratelocalgroups.jsp Atlassian Local Group Migration Recovery does not require a csrf token to run the migration. When fixing this issue, please ensure that the JSP is converted to an action or deleted - we don't want to have to maintain our XSRF infrastructure in JSPs...