Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
•added 2010/11/03 3:44 a.m.•20 views

Security Vulnerability in Confluence Remote API

We have identified and fixed a vulnerability in the Remote API which affects Confluence instances, including publicly available instances. The Remote API|http://confluence.atlassian.com/display/DOC/Enabling+the+Remote+API allows an attacker to escalate user privileges, excluding the level of syst...

2.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/10/26 2:15 p.m.•20 views

Allow to specify which user to be used in trusted connection with JIRA

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-21127. panel This is an improvement request to allow specifying which user to be used in trusted connection with JIRA. Proposed...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/10/26 2:11 a.m.•20 views

Intermittent Session Lost During Add/Edit Page in Firefox

We customized Seraph to integrate with our SSO Server. Seraph will perform session validation through cookies. When using firefox, we found that in 1 out of 5 to 8 times when we edit a page or add a new page, we will lose our session and be directed back to the login page. This does not happen in...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/10/05 12:52 a.m.•20 views

Confluence features that require password confirmation (websudo, captcha) do not work with custom authentication

When user is required to confirm the password, Confluence always checks the entered password against the internally stored user/password. If an instance is configured to use custom authentication which is different from atlassian-user, the password validation will fail. h3. Resolution This is fix...

0.7AI score
Exploits0
Atlassian
Atlassian
•added 2010/09/23 1:6 a.m.•20 views

XSS vulnerability in space key, particularly with decorators off

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-20865. panel As discovered while looking at CONF-20667, Confluence stores the space key unencoded in a content tag. Considerabl...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/09/22 6:18 p.m.•20 views

Page view restriction is not inheriting to child pages in some spaces

When a new page is created using the create-page macro the child page does not have restrictions inherited. This is only happening for a few spaces. If I try the same macro in another space it will work fine. I have rebuilt the ancestors table but this issue is still happening. Please advise...

2.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/09/03 7:23 a.m.•20 views

XSS vulnerability in Confluence Space Names

We have identified and fixed a cross-site scripting XSS vulnerability in Confluence Space Names. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An attacker's te...

0.4AI score
Exploits0
Atlassian
Atlassian
•added 2010/09/03 3:14 a.m.•20 views

Allow anonymous/public access at page level

Although a space might be restricted to some groups/users, it is sometimes required to allow public/anonymous access on a page per page basis within that space. This feature is missing and workarounds like create public spaces just for those pages are not viable...

2.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/08/25 1:56 a.m.•20 views

XSS vulnerability in the Office Connector

We have identified and fixed a cross-site scripting XSS vulnerability which may affect Confluence instances in a public environment. The XSS vulnerability is exposed in the document import function of the Confluence Office Connector. An attacker might take advantage of the vulnerability to steal...

0.4AI score
Exploits0
Atlassian
Atlassian
•added 2010/08/25 1:39 a.m.•20 views

Path traversal vulnerability in various Confluence actions

We have identified and fixed a path traversal vulnerability in various Confluence actions. By exploiting a path traversal vulnerability, attackers can retrieve any file on the server that is running Confluence, based on the permissions of the user under which Confluence is running. Path traversal...

1.2AI score
Exploits0
Atlassian
Atlassian
•added 2010/08/18 6:38 a.m.•20 views

websudo annotation backwards compatibility (Confluence 3.3)

Following this guide|http://confluence.atlassian.com/pages/viewpage.action?pageId=219021702, I started to use the websudo annotations to secure an XWork action that would process a form in the space admin tab. The plugin is meant to work with Confluence 3.3 and I haven't released a public version...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/08/02 5:14 a.m.•20 views

Secure Administrator Sessions feature can be bypassed

In some circumstances an attacker may be able to craft a request to a Confluence server that bypasses the additional layer of security added by the new Secure Administrator Sessions feature introduced in Confluence 3.3. This would allow an attacker to perform administrative functions on Confluenc...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/07/15 12:33 a.m.•20 views

Enable Web Sudo to work with other single-sign-on solutions

Customers with some of the unsupported single sign-on solutions|http://confluence.atlassian.com/display/DEV/Single+Sign-on+Integration+with+JIRA+and+Confluence can't easily upgrade to Confluence 3.3 because WebSudo doesn't handle external SSO solutions. See this example:...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/07/13 11:26 a.m.•20 views

sudo is decorated with global decorator

The reasoning behind preventing theme developers from theming the admin areas was because if you don't know what you are doing then you can mess things up to such an extent that you are unable to use confluence. By decorating the sudo login pages using the global decorator it exposes the user to...

2.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/07/13 11:26 a.m.•20 views

sudo is decorated with global decorator

The reasoning behind preventing theme developers from theming the admin areas was because if you don't know what you are doing then you can mess things up to such an extent that you are unable to use confluence. By decorating the sudo login pages using the global decorator it exposes the user to...

2.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/06/25 4:47 p.m.•20 views

Logout Button / Option Missing for some LDAP user accounts

Instance Details / Description: The logout option to kill sessions is not present for some user accounts i,e, the zzsvat01-05 test accounts. It is believed that this is caused by LDAP user accounts that don't have a first and / or last name present. For these specific rare instances i.e. probably...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/06/25 3:40 p.m.•20 views

Malicious File Upload

The application server accepted a vbscript file, an HTML file containing JavaScript, and the EICAR test virus as allowed attachments. This means that an attacker could submit a malicious file to the backend, where the file might be launched by another internal RIM employee if they click and open...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/06/21 6:16 a.m.•20 views

XSS vulnerability in Clickr theme

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence Clickr theme. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An attacker...

Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/06/21 3:40 a.m.•20 views

XSS vulnerability in PDF export

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence action that performs the export to PDF. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's o...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/05/11 11:35 p.m.•20 views

500page.jsp Improvements

Some further improvements to the 500page.jsp: The following should not appear if there is no stack trace: quote Cause Stack Trace:hide quote \ \ Stack trace should not appear if the user triggering the page is anonymous user Changes to this sentence below: quote"Your Confluence administrator can...

1.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/22 4:22 a.m.•20 views

Require user to answer CAPTCHA after three failed attempts

Require user to answer CAPTCHA after three failed attempts. For SOAP and XMLRPC this means that the user will have to open a browser to answer the CAPTCHA, similar to how google does it. This issue has been rated MODERATE. Please refer to http://confluence.atlassian.com/x/ZILmD for details on oth...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/22 1:3 a.m.•20 views

Not all error strings are encoded

A XSS vulnerability where a string could bypass the Anti-XSS mechanism has been identified. This issue corrects this problem. The severity of this issue is rated as LOW. Please see http://confluence.atlassian.com/x/ZILmD for information on other security related issues and our rating system...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/19 3:11 a.m.•20 views

brute force password attack protection by default

We have added an upgrade task to set jira.maximum.authentication.attempts.allowed=5 on all instances even if they previous had set it to something else. This is to ensure that systems are more safe by default...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/18 1:44 a.m.•20 views

The current CAPTCHA implementation may not be secure

The current CAPTCHA implementation displays a different message if the CAPTCHA is being displayed and the captcha is entered correctly but the password for the user is not, than if the CAPTCHA is entered incorrectly. This is giving away more information than a login screen should. The error messa...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/16 5:9 a.m.•20 views

500page.jsp contains HTTP Header XSS vulnerability

The 500page.jsp contains an XSS vulnerability via the 'Referrer' HTTP header...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/16 5:4 a.m.•20 views

issuelinkssmall.jsp has an XSS hole via the URL used to access it

The issuelinkssmall.jsp has an XSS hole, where if the URL contains an XSS string, the ww:url tag will include that tag in the page because the value attribute was left empty...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/10/12 9:20 p.m.•20 views

Workflow permission to limit ability to link issues

We need to be able to limit the ability to link issues by the issue status. If we have two issues, and they are both closed, I do not want to be able to link them. If one or both are opened or in progress, I'd like to be able to create the link from the open issue. We are trying to use Jira for...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/09/24 7:28 a.m.•20 views

XSS in header for Personal Spaces

Create a user with username "alert'hahahaha' User creates a personal space Try to add a page to the personal space This is caused by code code However since the personal space doesn't work too well with usernames with crazy letters, I don't think its a Blocker...

2.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/07/30 4:4 a.m.•20 views

Upgrade to the latest version of Seraph and Trusted Applications library

Andreas needs to make some improvements to trusted-application behaviour for Gadgets. In order to do this, we need to first get onto the latest version of Seraph where Trusted Applications is split out into a separate library. Also, the new version of Seraph uses a version of oscore library|SER-1...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/05/21 8:5 a.m.•20 views

Viewfile macros do not respect page restrictions

Add a page Set viewing restrictions to user1 only Add an attachment - 'Sample.doc' Log in as user2 - confirm that you cannot see the restricted page Add a page, and use the viewfile macro Enter the location of the attachment on the restricted page The contents of the attachment can now be viewed ...

2.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/05/14 3:26 a.m.•20 views

Prevent global settings from being accidentally overwritten

On a number of occasions, upgrading Extranet has triggered some kind of bug that has caused the global settings to be reset to their default values. The most obvious cause of this is that some piece of code has created a new Settings object and saved it through the settings manager. One way to...

0.2AI score
Exploits0
Atlassian
Atlassian
•added 2009/04/09 1:34 a.m.•20 views

Update JIRA certificate for Screenshot Applet and others. It expires in June 2009

See https://extranet.atlassian.com/jira/browse/ADM-3253 Move Steves branch into trunk in the process. Also I think the build environment might need direct updating...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/03/19 4:38 p.m.•20 views

Bright Cove User Macro-Cross-site script

Our e-security found the following error after they scanned the Bright Cove User Macro: Number System/Location Defect Type Status R4 Bright Cove User Macro Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies,...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/03/19 4:27 p.m.•20 views

Cache Plugin -Cross-site script error

Our e-security department found the error below after scanning the Cache Plugin: Number System/Location Defect Type Status R3 Cache Plugin Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies, which may be use...

0.2AI score
Exploits0
Atlassian
Atlassian
•added 2009/03/19 4:27 p.m.•20 views

Cache Plugin -Cross-site script error

Our e-security department found the error below after scanning the Cache Plugin: Number System/Location Defect Type Status R3 Cache Plugin Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies, which may be use...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/03/19 4:23 p.m.•20 views

Reporting Plugin- Cross-site scripting error

Our e-security found the following error for the Reporting plugin: Number System/Location Defect Type Status R2 Reporting Plugin Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies, which may be used to...

0.1AI score
Exploits0
Atlassian
Atlassian
•added 2009/03/12 7:47 a.m.•20 views

JIRA build information not included in dummy XML responses to search filter requests which users do not have access to

The build-info element is missing from the response to search filter XML requests. noformat https://support.atlassian.com/sr/jira.issueviews:searchrequest-xml/10593/SearchRequest-10593.xml?tempMax=100 noformat Happens if the user does not have access to the filter. See also...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/02/20 12:41 a.m.•20 views

Redirect that works in 2.9 is broken in later Confluence versions

Adding a .jsp containing the following code will work in 2.9, but produces an exception in 2.10 when a parameter such as osdestination is supplied: code code Example URL: http://localhost:8080/confluence/login2.jsp?osdestination=%2Fdashboard.action Typical exception: quote...

1.7AI score
Exploits0
Atlassian
Atlassian
•added 2009/02/08 3:11 p.m.•20 views

Seraph binary dosn't correspond to source distribution for JIRA 3.13.2

Try to stepover getUserHttpServletRequest request, HttpServletResponse response Also, if user is not resolved by session, why not to try resolve it from cookie...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2008/12/17 4:34 a.m.•20 views

Word import with Office Connector can overwrite existing content without permission

It's possible under a specific set of circumstances that a user could perform actions they may otherwise be unauthorized to perform using the document import feature of the Office Connector. The specific actions would be editing or deleting a page they don't have permission to change. Note that...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2008/12/17 4:34 a.m.•20 views

Word import with Office Connector can overwrite existing content without permission

It's possible under a specific set of circumstances that a user could perform actions they may otherwise be unauthorized to perform using the document import feature of the Office Connector. The specific actions would be editing or deleting a page they don't have permission to change. Note that...

2.4AI score
Exploits0
Atlassian
Atlassian
•added 2008/12/17 4:34 a.m.•20 views

Word import with Office Connector can overwrite existing content without permission

It's possible under a specific set of circumstances that a user could perform actions they may otherwise be unauthorized to perform using the document import feature of the Office Connector. The specific actions would be editing or deleting a page they don't have permission to change. Note that...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2008/12/16 5:40 a.m.•20 views

Get 500 when trying to communicate to confluence via trusted apps.

Steps to reproduce. 1 Install confluence 2.9.2 and crucible 1.6.5 2 Setup trusted apps to crucible specify a "IP address Matches as 10.0.100.123 3 Install the confluence crucible plugin...

0.3AI score
Exploits0
Atlassian
Atlassian
•added 2008/12/16 5:40 a.m.•20 views

Get 500 when trying to communicate to confluence via trusted apps.

Steps to reproduce. 1 Install confluence 2.9.2 and crucible 1.6.5 2 Setup trusted apps to crucible specify a "IP address Matches as 10.0.100.123 3 Install the confluence crucible plugin...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2008/11/14 12:59 a.m.•20 views

Attachment list in popup doesn't escape filenames causing XSS hole

The filenames in the attachment list of the link popup aren't being escaped. If you upload an attachment with a filename including html it could be executed...

0.3AI score
Exploits0
Atlassian
Atlassian
•added 2008/11/07 12:35 a.m.•20 views

Inserted image filenames are not escaped properly as thumbnails

When you insert an image as a thumbnail into a wiki page, the generated HTML does not properly escape the filename...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2008/09/17 9:4 p.m.•20 views

It's possible to execute a workflow action without being logged in.

To reproduce, open Jira in two browser windows. In the first, navigate to an issue with an available workflow action. In the second, log out. In the first, perform one of the workflow actions. You'll see a page asking you to log back in, but the action has still been performed. To see this, in th...

2.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2008/09/15 4:5 p.m.•20 views

Stored XSS in wiki macro search

Creating a page/comment etc with the following wiki-markup macro will render javascript on the page for anybody visiting this page search:query=alertdocument.cookie IMPORTANT: please confirm receipt of this notification! Depending on the response, we may report the vulnerability to publicly...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2008/06/24 6:19 a.m.•20 views

Security Vulnerability in xwork, need to update to fixed version

see http://cwiki.apache.org/confluence/display/WW/S2-003 confluence currently using v1.0.3. 1.0.x branch was not yet patched so we cannot upgrade straight away. Don B is working on releasing the fix...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2008/06/04 1:58 a.m.•20 views

SSO credentials not used in IssueViewURLHandler

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-15048. panel A customer has created a SSO plugin and are facing some specific issues in this context. When they click on the printable link ...

7.2AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295