Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2008/04/22 5:36 p.m.20 views

Remember my password with LDAP

At the login screen, when we click on 'Remember my login on this computer' and login, everything works well. When we close the browser without logout, the login should be remember on this computer. When we try to get back into Jira, here's the bug that we have into our log file. 2008-04-22...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/04/21 4:28 p.m.20 views

XSS vulnerability in viewinfo.action

Referrer URLs are not encoded in viewinfo.vm...

2.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/18 3:16 a.m.20 views

XSS vulnerability in browseusers.vm

browseusers.vm does not escape usernames...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/11 4:8 a.m.20 views

username not validated in add user to favourites action

Entering a bogus username here has the unwanted side effect of adding a bogus entity to your user favourites that can't be removed...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/01/17 3:12 a.m.20 views

JIRA Portlet Macro not displaying when authenticating using the trusted application between JIRA and Confluence

We're having issues using the JIRA portlet macro jiraportlet on pages inside Confluence. Whenever we try to use this macro using the trust between JIRA and Confluence for authentication, the macro does not display on the page. There aren't any errors, it just doesn't appear. code...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/01/10 3:35 a.m.20 views

Moving a subtask Issue Type will sometimes ask the user for a Security Level even though this value is inherited from the Parent Issue.

When you move a subtask from an Issue Type where Security Level is a hidden field, to one where Security Level is no longer hidden, the system can mistakenly ask the User for a new Security Level. This is only a minor issue, as then the subtask will not actually take on the chosen value - it will...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/12/19 2:16 p.m.20 views

Security vulnerability with Dashboard spacesSelectedTab

Our security team has reported the following vulnerability, which must be resolved for us to use the application. Severity: High Test Type: Application Vulnerable URL: https://gforgewiki.nci.nih.gov/dashboard.action Parameter = spacesSelectedTab Remediation Tasks: Filter out hazardous characters...

1.7AI score
Exploits0
Atlassian
Atlassian
added 2007/11/12 3:22 a.m.20 views

Bulk Move does not update the Security Level of subtasks

When doing a bulk move, Parent issues moved to a new project must take any subtasks with them. If the new project has a different Issue Security scheme, then issues should get the default issue security in the new project. Currently a bulk move will change the security setting of parent issues, b...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/10/24 6:4 a.m.20 views

Issues not shown in issue navigator that a user has permission for according to the issue security level

Users may not be able to see certain issues in the IssueNavigator, if they create an issue level security, where the permission depends on a user custom field where the customfield does not have a searcher set. Browsing the issue directly, works fine, however when running a search the issue wont ...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/10/22 6:2 a.m.20 views

Username upper case are not being restricted in some pages

Username must be created in lowercase in JIRA. At the moment, JIRA allows the username with the lowercase or uppercase letter in Login and Add Watcher pages. It should restrict the case-sensitive when the username is request from the login page or convert it to lower case. JIRA should have this...

3.1AI score
Exploits0
Atlassian
Atlassian
added 2007/10/17 12:34 a.m.20 views

Move velocity templates and other web resources into WEB-INF in the Confluence webapp

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-9730. panel It presents a small information leak, and is just tidier if we put all the internal stuff into WEB-INF...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/09/06 6:57 p.m.20 views

Option to disable "secure" cookie when using HTTPS just for login page

Confluence's "remember me" tickbox doesn't work if the login page is secure, but the rest of the application is unsecured. Seraph's CookieUtils.setCookie method create a secure cookie ref|http://www.apps.ietf.org/rfc/rfc2965.htmlpage-7 if the request had a secure URL, and this cookie isn't sent b...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/09/05 8:3 p.m.20 views

Only allow basic formatting macros in comments

Currently it is possible for users with create comments permission to embed macros in these comments. This is a security risk and unnecessary/unwanted feature. Should a macro contain security vulnerability, we can't rely on the fact that only trusted users whom we given permission to create/edit...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/09/05 8:3 p.m.20 views

Only allow basic formatting macros in comments

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-9387. panel Currently it is possible for users with create comments permission to embed macros in these comments. This is a...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/08/10 11:43 p.m.20 views

It is possible to see components without logging in

It is possible to see project's components without logging in by just guessing urls, e.g. jira-installation/browse/KEY/component/10881. This will show all the information written on component issues are not shown. This should be restricted so that it is impossible to see any project information...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/31 4:4 a.m.20 views

Remove the space-list from the 404-error-page to reduce load on server

The default 404 page shows a list of spaces. On a big, busy instance this can generate a lot of load. The query is run on every 404 which can happen multiple times on a request if there are some bad resources missing css/js etc. Perhaps there should be some sort of throttling or configuration to...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/24 7:51 a.m.20 views

Reflected XSS Vulnerability in the Feed Builder

---- Input in the Feed Builder is not properly handled. Insert: code "alert'Gotcha!' code as the feed name title and you get url like this:...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/23 11:45 a.m.20 views

Vulnerability against DoS attack via labels

Description: When you give more labels to a content, then Confluence split up the user input on spaces, and then make az SQL query against each word or something like this. Exploit: Giving x thousand characters depends on the machine separated by space as label results the system is breaking down...

3.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/19 8:31 p.m.20 views

stored XSS vulnerability in app/themes/leftnavigation/configuretheme.action

Description: Stored XSS via page app/themes/leftnavigation/configuretheme.action?key= Exploit: Example value in the Naviagtion Page field: "aletrdocument.cookiex x="...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/11 9:53 a.m.20 views

UnsupportedOperationException with hasPermissionToCreate when called with DocumentIssueImpl

Extending the SearchRequestPortlet for Kaamelot Portlet, I use WorklogService.hasPermissionToCreateJiraServiceContext jiraServiceContext, Issue issue . As SearchRequestPortlet provides through its SearchProvider a list of Issue based on class DocumentIssueImpl, the hasPermissionToCreate fails wit...

0.9AI score
Exploits0
Atlassian
Atlassian
added 2007/07/11 12:37 a.m.20 views

Security issue: user can copy page with only view permissions

I have a user who only has view permissions to a space. Logging on as that user, I went to the Info tab of a page. The Copy operation appeared, and I was able click the link, edit the copied page, and save it. This must be a security hole?...

0.5AI score
Exploits0
Atlassian
Atlassian
added 2007/03/21 11:3 p.m.20 views

Make anonymiser more strict about the translation of values

the anonymiser replaces letter and number characters in string values during xml backup. A more strict anonymiser would replace more characters. For passwords in particular i.e. mail server passwords this could increase security by translating all characters except whitespace. Whitespace should b...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/03/15 10:22 p.m.20 views

Data anonymiser does not blank out SMTP server username and password

SMTP server username and password are readable in database/xml export: This can possible security leak e.g. when you sent support request, where you send database export to support. Anonymizer does not remove these values. ---- Username and password should be encoded format in database...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/03/15 10:22 p.m.20 views

Data anonymiser does not blank out SMTP server username and password

SMTP server username and password are readable in database/xml export: This can possible security leak e.g. when you sent support request, where you send database export to support. Anonymizer does not remove these values. ---- Username and password should be encoded format in database...

0.8AI score
Exploits0
Atlassian
Atlassian
added 2007/03/07 9:2 p.m.20 views

Project Role Modifications not reflected in Issue Security Scheme

If you modify users/groups in a project's project role and this project uses an issue security scheme, you must remove the role and re-add it to the issue security scheme for the role changes to take effect. Steps to Reproduce: 1. Need to be the admin of a project whose issue creation screen has...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/03/07 9:2 p.m.20 views

Project Role Modifications not reflected in Issue Security Scheme

If you modify users/groups in a project's project role and this project uses an issue security scheme, you must remove the role and re-add it to the issue security scheme for the role changes to take effect. Steps to Reproduce: 1. Need to be the admin of a project whose issue creation screen has...

0.8AI score
Exploits0
Atlassian
Atlassian
added 2007/02/20 11:13 p.m.20 views

Need ability to limit use of remote API to certain users, or a certain group

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-7913. panel The remote API presents opportunities for denial of service attack. For example: RemoveSpace for a space with many...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/02/20 11:13 p.m.20 views

Need ability to limit use of remote API to certain users, or a certain group

The remote API presents opportunities for denial of service attack. For example: RemoveSpace for a space with many pages can take several minutes, and all other users are locked from the wiki until it completes Reading or writing pages too rapidly through the API can impact the responsiveness of...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/12/14 1:22 a.m.20 views

Confluence is not using the seraph logout url to define how to log out.

We need to update our use of seraph to delegate the definition of the logout url to seraph-config.xml h2. Workaround for Confluence 5.7.2 and older Find and copy /confluence/WEB-INF/lib/confluence-x.x.x.jar to a temp location with "x.x.x" representing your Confluence version number Extract the...

0.9AI score
Exploits0
Atlassian
Atlassian
added 2005/10/01 5:56 p.m.20 views

NPE in SpaceHelper borks page....

If you have a url for Space admin : http://server.name.com/spaces/listdecorators.action?key=BP2I And you get the space key wrong, then rather than failing gracefully, you end up with an sitemesh decoration of an empty page.... Looking at the code, you can see why: public String getSpaceName retur...

7AI score
Exploits0
Atlassian
Atlassian
added 2005/10/01 5:56 p.m.20 views

NPE in SpaceHelper borks page....

If you have a url for Space admin : http://server.name.com/spaces/listdecorators.action?key=BP2I And you get the space key wrong, then rather than failing gracefully, you end up with an sitemesh decoration of an empty page.... Looking at the code, you can see why: public String getSpaceName retur...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/09/14 4:22 a.m.20 views

A user cannot set the security level to none if the default security level is set

Selecting 'none' always creates an issue with the default security level...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/09/14 4:22 a.m.20 views

A user cannot set the security level to none if the default security level is set

Selecting 'none' always creates an issue with the default security level...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/05/04 4:22 a.m.20 views

LDAP authentication falls back to database check when password is incorrect

If a user is present in LDAP, but the entered password is incorrect, JIRA ought to immediately fail to authenticate them. Instead in 3.2-beta it delegates to the database, and checks the password there...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/02/10 3:49 p.m.20 views

Logon with wrong user/password gives 'weird' errorpage.

Error screen after wrong login is 'weird'...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/02/03 2:54 a.m.20 views

Obscure email addresses in Confluence Mail

Just noticed that http://confluence.atlassian.com/spaces/viewmailarchive.action?key=DOC is showing my full email address.and other ppl's too. Eeek! We really want to obscure them. And anywhere else they appear in confl... Maybe some funky javascript email encryption ?...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/06/29 10:11 p.m.20 views

Spam-protection

We need something like MT-Blacklist: the ability to define URL patterns that flag a page and/or comment as spam. It shouldn't be too hard to do - we already track URL links. The UI will need some thought though what do you do if you define a URL as spam, and it's in a page? Revert the page back t...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/04/01 11:52 a.m.20 views

Character not allowed in user name

A user has sign up with the user name "m&m". The i tried to modify this user. Because the username is passed as url parameter FooServlet?name=m&m : GET or POST method the servlet container cut the name and try to retreive the username named "m" !!! The only way is to use a database client, change...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/02/20 2:47 a.m.20 views

When deleting an Issue Security Level issues need to be re-indexed

Create 1 security levels Put some issues into it Delete the level hence removing any security level from the issues You will not be able to find the issues any more - need to re-index...

1.1AI score
Exploits0
Atlassian
Atlassian
added 2026/04/16 1:50 p.m.19 views

mXSS (mutation Cross-Site Scripting) dompurify Dependency in Jira Service Management Data Center and Server

This is a vulnerability in a non-Atlassian Jira Service Management dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity nesting-based mXSS mutation Cross-Site Scripting vulnerability was introduced in version 10.3.0 of Jira...

10CVSS6.6AI score0.01093EPSS
Exploits2
Atlassian
Atlassian
added 2026/04/10 10:29 p.m.19 views

DoS (Denial of Service) axios Dependency in Confluence Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 9.0.1, 9.0.3, 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.7AI score0.02591EPSS
Exploits1
Atlassian
Atlassian
added 2026/03/12 8:28 p.m.19 views

Path Traversal node-tar Dependency in Jira Software Data Center

This High severity Path Traversal vulnerability was introduced in versions 9.15.2, 9.16.0, 9.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.1 of Jira Software Data Center. This Path Traversal vulnerability, with a CVSS Score of 8.8 and a CVS...

8.8CVSS5.8AI score0.00233EPSS
Exploits1
Atlassian
Atlassian
added 2026/03/06 5:28 a.m.19 views

File Inclusion node-tar Dependency in Jira Software Data Center

This High severity File Inclusion vulnerability was introduced in versions 9.15.2, 9.16.0, 9.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.1 of Jira Software Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2 and a CVS...

8.2CVSS5.9AI score0.00334EPSS
Exploits2
Atlassian
Atlassian
added 2026/02/13 11:45 a.m.19 views

CVE-2025-68493 impact on Bamboo

h3. Issue Summary Impact of CVE-2025-68493 in Bamboo https://cwiki.apache.org/confluence/display/WW/S2-069 Parsing of XML configuration in XWork component does not validate XML in proper way and it's vulnerable to XML external entity XXE injection. h3. Steps to Reproduce ||Impact of...

8.1CVSS5.9AI score0.23054EPSS
Exploits1
Atlassian
Atlassian
added 2026/01/16 6:27 p.m.19 views

DoS (Denial of Service) org.apache.struts:struts2-core Dependency in Crowd Data Center and Server

This High severity DoS Denial of Service vulnerability known as CVE-2025-66675 was introduced in versions 7.0.2 and 7.1.0 of Crowd Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H allows an...

8.2CVSS5.4AI score0.00508EPSS
Exploits0
Atlassian
Atlassian
added 2026/01/16 7:5 a.m.19 views

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency in Jira Service Management Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in version 5.12.2, 5.13.0, 5.14.0, 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, and 10.7.1 of Jira Service Management Data Center and Server. This DoS Denial of Service vulnerability, with a...

7.5CVSS8AI score0.01819EPSS
Exploits0
Atlassian
Atlassian
added 2026/01/14 6:28 p.m.19 views

File Inclusion tar-fs Dependency in Confluence Data Center and Server

This High severity File Inclusion vulnerability known as CVE-2025-59343 was introduced in version 7.19 of Confluence Data Center and Server. This File Inclusion vulnerability, with a CVSS Score of 8.7 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N allows an...

8.7CVSS5.6AI score0.00516EPSS
Exploits0
Atlassian
Atlassian
added 2025/12/12 7:28 a.m.19 views

XXE (XML External Entity Injection) org.apache.tika:tika-core Dependency in Bamboo Data Center and Server

This High severity XXE XML External Entity Injection vulnerability was introduced in versions 9.6.1, 10.0.0, 10.1.0, 10.2.0, 11.0.0, and 12.0.0-rc3 of Bamboo Data Center and Server. This XXE XML External Entity Injection vulnerability, with a CVSS Score of 8.4 and a CVSS Vector of...

9.8CVSS5.6AI score0.02962EPSS
Exploits4
Atlassian
Atlassian
added 2025/11/14 2:31 a.m.19 views

DoS (Denial of Service) Third-Party Dependency in Jira Service Management Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 5.10.0, 5.11.0, 5.12.0, 5.13.0, 5.14.0, 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.0, 11.0.0 and and 11.1.0 of Jira Service Management Data Center and Server. This...

7.5CVSS6.9AI score0.64718EPSS
Exploits1
Atlassian
Atlassian
added 2025/10/22 7:34 a.m.19 views

Jira issue creation fails due to a problem with security level mapping.

h3. Issue Summary As per the issue-level security configuration|https://confluence.atlassian.com/adminjiraserver103/configuring-issue-level-security-1489807354.html documentation, when setting the default security level for an issue security scheme, if the issue reporter does not have the 'Set...

6.8AI score
Exploits0
Total number of security vulnerabilities4295