Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2013/09/16 1:47 p.m.20 views

OAuth Administration screen is visible to anonymous users

If anonymous user access is enabled under "Global Permission", user can access to "OAuth Administration" page without the need to log-in. Here is the URL to the page: /plugins/servlet/oauth/view-consumer-info This page display Confluence administrators menu on the sidebar and other information su...

2.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/09/16 6:43 a.m.20 views

Resource file path traversal in WebImagesDownloadResourceManager

To reproduce: 1. Create a new page named foo any name can be used, but it must match the markup in step 3 2. In the editor, create an unmigrated-wiki-markup macro by typing "\a" don't copy/paste 3. Replace the "\a" in the macro with: code:none foo|foo|" code 4. Save the page. 5. Export to word...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/09/16 5:41 a.m.20 views

Arbitrary file or URL download in ExportWordPageServer

To reproduce: 1. Create a new page. 2. Insert an image with URL: code:none file:///etc/passwd code Edit the page, click +, click Image, select the From the Web tab, enter the file: URL shown above, click Insert, click Save. The image appears invisible on some browsers, but you can verify its...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/09/11 8:30 a.m.20 views

getRedirect in JiraWebActionSupport redirects to unsafe URLs by default

In jira-components/jira-api/src/main/java/com/atlassian/jira/web/action/JiraWebActionSupport.java the following code is found: code:java / Redirects to the value of @code getReturnUrl, falling back to @code defaultUrl if the @code returnUrl is not set. This method clears the @code returnUrl. If...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/09/11 5:4 a.m.20 views

Moving pages around spaces using HTTP get without XSRF token

Seems like you can easily move pages around spaces by just hitting the movepage action using GET, like this: http://localhost:8080/confluence/pages/movepage.action?pageId=787055&position=topLevel&spaceKey=S2 Malicious example of how to exploit this in an email message: after opening the email, th...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/09/02 7:10 a.m.20 views

'self' xss reported in a question's moderate

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-47423. panel We have received an external report of a dom xss in the moderation code for a question on answers.atlassian.com...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/08/30 6:26 p.m.20 views

/rest/menu/1.0/appswitcher displays data unauthenticated

"Calling" this function returns data without any authentication required: noformat curl https://support.atlassian.com/rest/menu/latest/appswitcher | python -mjson.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 787 0 787 0 0 531 0...

7.3AI score
Exploits0
Atlassian
Atlassian
added 2013/08/13 1:36 a.m.20 views

Convert the SecurityHeadersInterceptor into a filter that applies to /*

The X-XSS-Protection HTTP header should be sent on all responses with a value of "1; mode=block". As the current implementation is done in an interceptor0 it is possible for some resources to be sent without the X-XSS-Protection header. 0 SecurityHeadersInterceptor is in the default interceptor...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/08/05 4:10 a.m.20 views

Reflected XSS in JIRA Admin Panel (Delete User)

The 'name' param in jira-components/jira-webapp/src/main/webapp/secure/admin/user/views/deleteuserconfirm.jsp is not sanitised, enabling arbitrary html/script execution. A url to demonstrate this issue is:...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/08/03 8:0 a.m.20 views

OGNL double evaluation in atlassian-xwork

We have fixed a vulnerability in our version of Xwork. In specific circumstances, attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Confluence web interface. A valid user account is not...

2.7AI score
Exploits0
Atlassian
Atlassian
added 2013/07/26 9:52 a.m.20 views

Page Properties Report showing restricted items

Pages using the Page Properties control that are restricted, still display in a page with the Page Properties Report control when they should not. To clarify: A page with the Page Properties Report control that is unrestricted, shows all of the relevant pages within it. However a few of the pages...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/07/23 11:42 p.m.20 views

Restricted Work Log entries show in the Activity Stream in JIRA Server

h3. Summary When using a group comment visibility on worklogs the restriction is not applied in the Activity Stream. h3. Steps to Reproduce Set up a test user JIRA Users. Enable comment visibility to support groups as per Configuring JIRA...

2.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/07/02 12:16 p.m.20 views

Elevation of global permission from Administrator to System administrator

With "Administrator" permission I go to the global permissions page http://:7990/admin/permissions. 1. Type in the name of another user without any global permissions. 2. Select "System Administrator" as permission. 3. Press save. Expected result: Stash would deny me creating a "System...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/07/02 12:16 p.m.20 views

Elevation of global permission from Administrator to System administrator

With "Administrator" permission I go to the global permissions page http://:7990/admin/permissions. 1. Type in the name of another user without any global permissions. 2. Select "System Administrator" as permission. 3. Press save. Expected result: Stash would deny me creating a "System...

0.2AI score
Exploits0
Atlassian
Atlassian
added 2013/06/26 9:6 a.m.20 views

View Content Permission Set not Complete.

The Content Permission Set returned from the method getViewContentPermissions is incomplete. It appears to only contain a single ContentPermission object regardless of how many View permisisons have been attached to a Page. 1 Create a new page 2 Assign a View restriction for 1 group 3 Assign View...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/06/05 6:39 a.m.20 views

Passwords of configured SMTP mail accounts are stored in cleartext

Passwords for configured mail accounts are stored in clear text in the database as can be seen e.g. by: code SELECT FROM BANDANA WHERE BANDANAKEY = 'atlassian.confluence.space.mailaccounts'; code Even when being an admin I should NOT be able to read-out other users email account password! This...

2.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/05/13 2:46 p.m.20 views

https://jira.atlassian.com/500page.jsp

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-33042. panel this page shows all the data about JIRA instance to intruder. It makes it more vulnerable when you know the whole setup...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/04/29 3:41 a.m.20 views

SPAM via Answer

I have received an email notification containing a link as an aswer one of my questions. It turns out that a spam. I went online check my question and saw that the answer is not on it. So I believe this is very serious issue as we all trust and gave some personal information to Atlassian. Please...

3.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/04/10 7:5 p.m.20 views

SSL Enabled but some link point to http:// instead of https://

This scenario will happen if enable both HTTP8090 and HTTPS8433 and 'Server Base Url' is set to HTTP. Reproduce procedures 1. Access confluence via HTTPS 2. Click menu 'Space' at the top menu 3. At 'Space Directory' page, click any of the menu at the left side eg. All spaces etc. then click link ...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/04/10 12:36 a.m.20 views

Workbox (Notifications and Tasks) leaks restricted information from a jira issue

If a confluence instance is configured to pull notifications from a JIRA server then if a user 'B' not in group 'A' watches an issue and a comment is added to the issue restricted to group 'A' then user 'B' is able to see the contents of the restricted comment via the "Notifications and Tasks"...

1.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/03/12 11:37 p.m.20 views

Security enhancement: do not allow POST parameters to be used in GETs

My company's security team ran a vulnerability scan against our JIRA and found this issue. They advised me to bring it to your attention as an opportunity to improve security. Summary: quote Some web frameworks collapse the POST and GET parameters into a single collection. This is a flawed design...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/02/15 4:53 p.m.20 views

Anonymous users can see page restriction data, exposing user ids and group names

If an user navigates to a page that has any kind of individual "editing" restriction but is of public view and then clicks on the padlock icon, he or she will see the Names, Uids of the users who are mentioned in the "edit" restriction or any groups part if the restriction. We think it is wrong t...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/11/20 1:56 a.m.20 views

Webwork direct method invocation can bypass validatingStack through Action aliases

WebWork supports the concept of action aliases, which allow a single action class to serve requests mapping to different names. This allows a developer to reuse the same action logic, but provide different results based on interceptors. When an action is invoked, Webwork will typically call its...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/10/17 1:20 p.m.20 views

Inactive users still receiving emails from "Send email" function

The JIRA documentation for deactivating users says, bq. Will not receive any email notifications from JIRA, even if they continue to remain the assignee, reporter, or watchers of issues. However, when users have been marked as inactive they are not excluded from emails sent to groups via the 'Sen...

0.5AI score
Exploits0
Atlassian
Atlassian
added 2012/10/08 1:32 a.m.20 views

persistent xss in a user's username within mentions within comments

A user's username is injected into the "rel" attribute of the user mention link without being encoded properly. This means that if the username contains a " character then new attributes can be injected into the user mention link element. Hence, providing a persistent xss vector. To reproduce thi...

2AI score
Exploits0
Atlassian
Atlassian
added 2012/10/04 12:4 a.m.20 views

Session-timeout not being respected

As per the following KB I made changes that should have seen timeout reduced to 2 minutes. https://confluence.atlassian.com/pages/viewpage.action?pageId=126910597 in /confluence/WEB-INF/web.xml code 2 code I can't force Confluence to have a session timeout. This issue has been reproduced on first...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/09/12 6:20 p.m.20 views

User email showing in suggestions section with visibility set to hidden

Assignee user-picker shows user email in Suggestions section, with User Email Visibility set to hidden. Steps to reproduce: Email Visibility set to show user emails Assign issue to test user Set Email Visibility to Hidden Go to assign issue and search for user in the Assignee field Previous...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/09/12 3:55 a.m.20 views

Reflected XSS within the username parameter of the /user/non-system/{username} rest resource

The confluence-rest-plugin has a rest resource to look up "non-system" users which takes in a username. If given username supplied is not found then it is included in an xml error message without being xml encoded and thus is a XSS vector. That is, and other such xml special characters are not...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/09/03 11:31 a.m.20 views

Turning off Anti-XSRF protection for comments has no effect

Turning off Anti-XSRF protection for comments does not have the desired effect. Even if the setting is turned off verified that the setting is saved in the BANDANA table, adding comments is not possible, due to an XSRF warning. This is also covered in more details on this KB:...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/08/27 4:6 p.m.20 views

Session ID and remember me cookie should expire when LDAP user password is changed

Steps to reproduce Login as a normal Confluence user In another browser or in incognito mode, login as system administrator Go to Confluence Admin Manage Users and click on the user Click Set Password and set a different password for this user Refresh the page and the user can still access the pa...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/08/22 12:18 p.m.20 views

As a JIRA System Administrator, I can instruct web browsers to not allow saving a user's password in the various login options, so that unauthorized users can not access the system.

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-29447. panel In some organisations, as part of a set of security requirements, it is required for compliant applications, to disallow users t...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/08/08 7:48 a.m.20 views

Persistent xss flaw in the revision history (of comments).

Whilst a comment is html encoded /sanitized when displayed within an answer to a question the revision history page for an edited comment does not sanitize or html encode the content of the current and previous comments. Therefore an attacker can exploit this issue to craft a persistent xss attac...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/08/08 3:47 a.m.20 views

persistent xss vulnerability through uploaded files in IE8/9

It is possible to upload a number of file types checked by extension to an answers instance and then download them later. Internet Explorer8/9 sniffs text/plain and some other content-types downloads to determine the 'content-type' to use. This means that a text/plain content-type file in interne...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/08/08 3:47 a.m.20 views

persistent xss vulnerability through uploaded files in IE8/9

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46953. panel It is possible to upload a number of file types checked by extension to an answers instance and then download them...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/08/08 3:47 a.m.20 views

persistent xss vulnerability through uploaded files in IE8/9

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46953. panel It is possible to upload a number of file types checked by extension to an answers instance and then download them...

1.4AI score
Exploits0
Atlassian
Atlassian
added 2012/08/03 3:24 a.m.20 views

XSS (reflected) in fieldsKeys parameter of GHCreateNewIssue.jspa

Targets: https://test01.jira-dev.com/secure/GHCreateNewIssue.jspa?key=&issueType=7&fieldsKeys=priority,customfield10006,summary,fixVersions,components,customfield10005,assignee,customfield10004,reporter,customfield100039fd29alert'XSS'15d31825f8e9d6606&fieldsValues=1@%@...

2.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/08/01 7:46 a.m.20 views

XSS (reflected) in rankVMID parameter of GetRankPage.jspa

As per https://sdog.jira.com/browse/JSTDEV-2110 Targets:...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/07/27 7:41 a.m.20 views

The csrf token cookie should be a 'secure' cookie like the sessionid cookie

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46613. panel That is that csrf token cookie 'csrftoken' should have the 'secure' attribute like the session cookie. In django 1....

1.7AI score
Exploits0
Atlassian
Atlassian
added 2012/07/17 11:27 a.m.20 views

Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-26049. panel h5. Note - as of Confluence 5.1.3 you can make an SSL LDAP connection that doesn't verify that the hostname and...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/06/22 1:38 a.m.20 views

XSS vulnerability in the "move" page action with html/js in the page name

There is an persistent xss vector in the 'move' page action on a page, where the javascript/html payload is included in the name of the page. Steps to reproduce: 1.create a page named: "''/'kasdfjas'dfasdf 2. on the page click on the "move" option under the tools drop-down menu 3. see an alert bo...

2.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/06/22 1:38 a.m.20 views

XSS vulnerability in the "move" page action with html/js in the page name

There is an persistent xss vector in the 'move' page action on a page, where the javascript/html payload is included in the name of the page. Steps to reproduce: 1.create a page named: "''/'kasdfjas'dfasdf 2. on the page click on the "move" option under the tools drop-down menu 3. see an alert bo...

2.7AI score
Exploits0
Atlassian
Atlassian
added 2012/06/11 8:19 a.m.20 views

Password Reset doesn't recognise spaces in usernames

When I enter my new password and submit the page, it responds with a message about the username 'philip', but my username is 'philip widan'. There was a similar issue with the Bonfire plugin, which required an upgrade to JIRA v5 to resolve. The URL I clicked on to get to the password reset page...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/05/21 7:54 a.m.20 views

persistent xss through flash swf file attachment download

It is possible to upload a flash swf file which when the attachment 'download' url is visited the flash swf file is executed in the browser and as such can use ExternalInterface.call method to inject javascript defined in the swf file into the browser...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/05/18 8:44 p.m.20 views

multimedia macro allows execution of arbitrary scripts

The multimedia macro in confluence embeds a swf without the 'allowScriptAccess' attribute set to 'none'. This allows the embedded user submitted swf to execute arbitrary javascript on the page, constituting an XSS vulnerability. The multimedia tag is bundled in with the base product and not an...

2.3AI score
Exploits0
Atlassian
Atlassian
added 2012/05/13 12:43 p.m.20 views

persistent xss through svg file attachment download

The fix for CONF-22132 was not sufficient because "svg" files are not "said" to be xml by the isXml method. This means that is possible for a malicious party to upload a svg file containing html/javascript which will be rendered in victim's web browser. This bug should have been raised a while ag...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/05/08 5:13 a.m.20 views

Several REST interfaces vulnerable to XSRF

Several REST web services are vulnerable to XSRF|https://www.owasp.org/index.php/Cross-SiteRequestForgeryCSRF, allowing malicious web pages to execute them under the context of a logged in users browser. It's understood that JIRA REST interfaces are typically protected against XSRF based on the...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/05/06 11:34 p.m.20 views

ConsumerConfigurationServlet Open Redirect

The ConsumerConfigurationServlet servlet has an open redirect vulnerability in the doGet method that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/04/26 4:54 p.m.20 views

'/users/userpicker.action' exposes users loginids and full names in instance with anonymous access enabled

quote LDAP directory users and groups exposed via the /users/userpicker.action. There should be an option to restrict this to authenticated users only and perhaps this should be the default behavior. quote quote The second exposed function that is part of this vulnerability is...

3.2AI score
Exploits0
Atlassian
Atlassian
added 2012/04/19 4:35 a.m.20 views

admin/fixcwdmemberships.jsp lacks an XSRF token to run the repair action.

admin/fixcwdmemberships.jsp does not require a csrf token to run the repair action. When fixing this issue, please ensure that the JSP is converted to an action or deleted - we don't want to have to maintain our XSRF infrastructure in JSPs...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/04/19 4:29 a.m.20 views

admin/migratelocalgroups.jsp Atlassian Local Group Migration Recovery lacks an XSRF token to run the migration

admin/migratelocalgroups.jsp Atlassian Local Group Migration Recovery does not require a csrf token to run the migration. When fixing this issue, please ensure that the JSP is converted to an action or deleted - we don't want to have to maintain our XSRF infrastructure in JSPs...

2.4AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295