Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
•added 2023/09/11 7:59 a.m.•19 views

websudo does not work for space admins in Confluence version 8.5.1

h3. Issue Summary This is reproducible on the Data Center: yes Issue happens only on 8.5.1 and works fine on 8.5.0 h3. Steps to Reproduce 1. Install Confluence Data Center 8.5.1 2. Create a Confluence test user with can use permissions in Global permissions 3. Assign all the space permissions in ...

6.8AI score
Exploits0
Atlassian
Atlassian
•added 2022/03/16 5:14 a.m.•19 views

Admin user can change Base URL without WebSudo validation

Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to bypass WebSudo validation in order to change the Base URL of a Jira instance via a Broken Access Control vulnerability in the /rest/api/2/settings/baseUrl endpoint. The affected...

5.7AI score
Exploits0
Atlassian
Atlassian
•added 2022/03/07 8:14 a.m.•19 views

Update atlassian-gadgets to 4.2.41 to fix information leak

The atlassian-gadgets library bundled in Fisheye allowed information leak about installed plugins to anonymous users...

6.7AI score
Exploits0
Atlassian
Atlassian
•added 2020/08/03 10:42 p.m.•19 views

Unvalidated redirects in UPM via reverse tabnapping

Affected versions of Atlassian Jira Server and Data Center allow an authenticated attacker to redirect a user to a malicious website via an unvalidated redirect vulnerability in some Universal Plugin Manager pages, e.g. "Manage apps" and "Find new apps". Affected versions: version 7.13.16 7.14.0 ...

5.6AI score
Exploits0
Atlassian
Atlassian
•added 2020/07/28 6:27 p.m.•19 views

Improve error handling in commits page and REST endpoint

Adding a trail "%27" at the commits page URL in Bitbucket causes the application to output the error below. !screenshot-1.png|thumbnail! This error is improper error handling as it shows the path to the git executable in the server as well as it exceeds the limits of the error page and does not...

1.4AI score
Exploits0
Atlassian
Atlassian
•added 2020/04/28 10:22 a.m.•19 views

Filter for custom field values shows all options from all contexts

h3. Summary If a custom field is added to a Portfolio plan, the Portfolio filter will show all options from all contexts configured in the custom field in Jira. h3. Steps to Reproduce Create a custom field with multiple contexts and values across contexts. Assign different projects to separate...

1.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2018/11/07 4:35 p.m.•19 views

Setup only possible with sending user statistics

One of our customers reported an error: panel There is a problem with the setup of the new version of SourceTree 3.0.8. In the last screen the preferences are requested. It is not possible to click "Weiter" Continue without checking the second option. !Preferences.png|thumbnail! But this needs to...

2.2AI score
Exploits0
Atlassian
Atlassian
•added 2017/10/23 12:40 p.m.•19 views

XSS Vulnerability in JIRA Issue Export

A search endpoint is vulnerable to an XSS injection in certain cases. Normally, the browser will urlencode its requests, but some proxy servers and load balancers will decode URL data by default. see http://stackoverflow.com/questions/31266629/nginx-encoding-normalizing-part-of-uri...

1.8AI score
Exploits0
Atlassian
Atlassian
•added 2017/09/28 4:21 a.m.•19 views

jira xml export does not escape label and component values

searchrequest-sml endpoint html encodes issue description text, but not issue labels or component. This means that other plugins / products relying on this end point for these values are vulnerable to XSS attacks, see linked issue. Please html encode these string values : example...

6.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2017/05/25 3:47 p.m.•19 views

Password Reset

I changed my password on my Linux system and now I can't push/pull via Atlassian SourceTree 2.0.20.1 gui. I tried resetting via the authentication tab under Tools-Options but the password is not being saved. I can use git via command line via Terminal because I am prompted for a password. I...

4AI score
Exploits0
Atlassian
Atlassian
•added 2017/05/18 11:11 a.m.•19 views

Best Practices for Configuring JIRA Security

h5. Issue Summary Can a documentation containing a collection of best practices for securing a JIRA instance be created similar to this one|https://confluence.atlassian.com/doc/best-practices-for-configuring-confluence-security-216433533.html/?ga=2.68524696.801198909.1495105182-524443449.14914597...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2017/01/18 5:51 p.m.•19 views

Generating SSH Keys is broken (using Bitbucket Server) -- ui and config file

Please watch my short video illustrating the experience. https://www.youtube.com/watch?v=wPUAkG78BFE&feature=youtu.be Scenario 1: On MacOS X Sierra when setting up SourceTree for first time and choosing "SSH" as the authentication method, SourceTree: Should not have a URL for the Bitbucket...

7.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2017/01/17 4:45 a.m.•19 views

Shell Injection in SourceTree for Mac

SourceTree for Mac had a shell injection vulnerability starting with 1.9.8 prior to 2.3.1 the fixed version. By visiting a malicious website or by convincing a user to click a sourcetree:// URL with a vulnerable version of SourceTree for Mac installed an attacker could use a shell injection...

3.7AI score
Exploits0
Atlassian
Atlassian
•added 2017/01/09 11:15 p.m.•19 views

XSS on Delete Webhook

It was possible for users with JIRA administrator rights to perform an XSS attack through convincing another user, potentially a user with system administrators rights, to delete a specific webhook...

3.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2017/01/09 11:11 p.m.•19 views

JIRA Server can be DOSed through a specific error page resource.

JIRA had a specific error page resource that when repeatedly accessed could result in more memory being used eventually resulting in java running out of heap space...

0.9AI score
Exploits0
Atlassian
Atlassian
•added 2017/01/09 11:11 p.m.•19 views

JIRA Server can be DOSed through a specific error page resource.

JIRA had a specific error page resource that when repeatedly accessed could result in more memory being used eventually resulting in java running out of heap space...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/11/28 4:10 a.m.•19 views

Update atlassian-gadgets in Confluence to fix AG-1502/ACG-5

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-45392. panel For Confluence Server as https://ecosystem.atlassian.net/browse/AG-1502 has been fixed, upgrade atlassian-gadgets t...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/11/28 3:58 a.m.•19 views

Update atlassian-gadgets in JIRA Server to fix AG-1502

Now that https://ecosystem.atlassian.net/browse/AG-1502 has been fixed, upgrade atlassian-gadgets to a version that contains a fix for it. In this case JIRA Server would update atlassian-gadgets to a version = 4.2.14...

1.6AI score
Exploits0
Atlassian
Atlassian
•added 2016/11/03 6:49 p.m.•19 views

"Allowed review participants" isn't restricting the scope for groups

h3. Summary The "Allowed review participants" option in the project settings isn't restricting the scope for groups when searching for reviewers to be added to a review, therefore all the groups are listed, even the ones not included as allowed groups. h3. Environment Tested on Crucible 4.2.0 h3...

2.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/11/02 7:29 a.m.•19 views

SECURITY: Update application-links in JIRA Server to fix APL-1327

Now that https://ecosystem.atlassian.net/browse/APL-1327 has been fixed, upgrade application-links to a version that contains a fix for it. In this case JIRA server would update application-links from version 5.2.3 to version 5.2.4...

2AI score
Exploits0
Atlassian
Atlassian
•added 2016/08/10 5:55 p.m.•19 views

Secure SSL flag does not work when using Delegated LDAP

h3. Summary The Secure SSL flag under the Advanced Settings section in the LDAP settings does not work when using Delegated LDAP/Internal with LDAP Authentication in JIRA. h3. Steps to Reproduce Add a Delegated LDAP AD in JIRA Checking the Secure SSL checkbox and hit the Save and Test button if w...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/07/19 7:11 p.m.•19 views

XSS in Mail Whitelist Field

Jira Admins can create a persistant XSS on the Incoming Mail configuration page. When the value code "alert1 code is inserted into the Witelisted Domain field on the page code /secure/admin/IncomingMailServers.jspa code The javascript persists and executes on page load. This was tested on Jira...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/06/24 8:41 p.m.•19 views

When JIRA project has a security scheme, the option "None" is not displayed in Crucible

h3. Summary Whenever a JIRA project has a Security Scheme defined, and a workflow transition has at least one required field, a window is opened in JIRA side so that the required field/s are selected. Among the fields displayed in this window there will be the "Security Level", in which the...

0.7AI score
Exploits0
Atlassian
Atlassian
•added 2016/06/01 6:40 a.m.•19 views

JIRA puts a user's XSRF token in various resources.

h5.Steps to Reproduce: Log into JIRA Log out from JIRA h5.Expected Results: The URL shown in the address bar does not show the atltoken value h5.Actual Results: The URL shown in the address bar shows the atltoken value h5.Impact After checking with the security teams, this appears to be a low ris...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/05/03 5:12 p.m.•19 views

Moving or deleting an issue leaves the empty attachments subdirectory on the filesystem

To reproduce: Create an issue Attach a file to it Locate the file on the JIRA-server filesystem -- under JIRA "home" directory attachments/..../PROJECT-ISSUE Move the issue to a different project or delete it completely Observe the empty issue subdirectory remaining on the filesystem The director...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/05/03 5:12 p.m.•19 views

Moving or deleting an issue leaves the empty attachments subdirectory on the filesystem

To reproduce: Create an issue Attach a file to it Locate the file on the JIRA-server filesystem -- under JIRA "home" directory attachments/..../PROJECT-ISSUE Move the issue to a different project or delete it completely Observe the empty issue subdirectory remaining on the filesystem The director...

1.4AI score
Exploits0
Atlassian
Atlassian
•added 2016/04/22 2:13 p.m.•19 views

users without "delete attachment permission" can delete attachment

go to space tools permissions and remove the permission of user X to delete attachments go to a page of that space which contains an attachment go to attachments no "delete" link available / expand an attachment to see older versionns including current version for each version there is the...

2AI score
Exploits0
Atlassian
Atlassian
•added 2016/04/20 7:41 a.m.•19 views

Drop support Windows Quicktime plugin from Confluence multimedia plugin

The US Govt is recommending users should uninstall Quicktime for Windows http://krebsonsecurity.com/2016/04/us-cert-to-windows-users-dump-apple-quicktime/ In order to assist users transition we need to drop support for Quicktime plugin from Multimedia plugins and use the "video" tag instead...

3AI score
Exploits0
Atlassian
Atlassian
•added 2016/03/21 10:33 p.m.•19 views

Stored XSS in ViewWorkflowTransition.jsp

Step to reproduce: 1 Go to workflow edit page as an administrator 2 Add validator "User Permission Validator" to transition with user name parameter "alert2" 3 It will trigger xss on ViewWorkflowTransition page...

2.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/01/20 12:46 p.m.•19 views

Customer can see Internal Comment created by Automation Action

h5. Environment - run JIRA from atlas-debug - JIRA 7.0.5 - JIRA Service Desk 3.0.5 h5. Steps to reproduce Create Service Desk project go to Administration - Automation tab click New rule - Custom rule add Trigger Issue Created add Action Add comment put some Comment text and select Internal as...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/12/07 7:52 p.m.•19 views

User Picker Custom field HTML tags showing when creating new issues

h3. Summary Customer reported that when creating custom field User Picker and added html tags in description field, text link shows correctly in Custom Field screen under Administration Setting. However when creating new issues, the create issue form for User Picker field shows the HTML code not...

7.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/12/07 7:52 p.m.•19 views

User Picker Custom field HTML tags showing when creating new issues

h3. Summary Customer reported that when creating custom field User Picker and added html tags in description field, text link shows correctly in Custom Field screen under Administration Setting. However when creating new issues, the create issue form for User Picker field shows the HTML code not...

7.1AI score
Exploits0
Atlassian
Atlassian
•added 2015/12/01 10:54 a.m.•19 views

It is possible to access the list of patches in a review and their content by unprivileged users

We've discovered and fixed a security issue, where the attacker could using the REST API: access the list of patches in a review their filename, database id upload date and anchor details without authentication access the patch content for any review as long as he had view access to any other...

4.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/10/01 8:59 a.m.•19 views

Prevent Activity feed information leakage by allowing permanently disabling of it

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-45601. panel It seems that the sensitive information leakage is something almost impossible to avoid when you have a pair of JIRA instances,...

2.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/09/28 7:40 p.m.•19 views

Migrating JIRA/Confluence from Cloud to Cloud reactivates inactive users

h3. Summary Admin migrated a Cloud instance of JIRA/Confluence to a new base URL. During the migration to the new JIRA/Confluence instance, inactive users became active. h3. Environment JIRA Cloud Confluence Cloud h3. Steps to Reproduce Create a user in JIRA Cloud Deactive user. Make inactive...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/09/01 2:42 p.m.•19 views

change fontset 'icons' to html entities to improve security compliance

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-38988. panel It seems that the icons in Confluence are currently rendered using fontset. This can be an issue for organization...

Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/07/13 8:17 a.m.•19 views

Disabled Users Receive Notification from Team Calendar

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-48834. panel h3. Summary Confluence disabled users that subscribed to a calendar still receive notifications when calendar have...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/06/18 10:9 p.m.•19 views

Content Spoofing in UpdateMyJiraHome

A third party scan found that the ConvertIssue.jspa action is vulnerable to content spoofing, in specific text injection. In this case the content spoofing may be used to perform a phishing attack on users. How to reproduce: 1- go to...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/04/08 10:58 a.m.•19 views

Update Java version bundled in the installer

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-37164. panel The version of Java bundled with Confluence is 1.7.015 which is a little bit dated February 2013. We should bundle...

2.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/03/30 7:14 a.m.•19 views

Bundled Java Version Security Patches

At the moment, the bundled JAVA is version 1.7.015. The recent JAVA version is 1.7.72, which has many security patches http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html. Does the security vulnerabilities on bundled JAVA JRE something that we should be concerned about?...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/02/27 1:46 p.m.•19 views

Restrictions not applied for inline comments in attachments

When there is a comment for a file which is attached to a restricted page, all users can see the comment, even the ones who are not allowed to see the page and its attachments. h3. Workaround for 5.7 There is no workaround for customers running Confluence 5.7. Customers are advised to upgrade to...

4.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/02/26 12:9 a.m.•19 views

XSRF - complete task request omits atl-token

Potential XSRF vulnerability in tasks. No atl-token is present in the request to complete a task which suggests an attacker may be able to craft a cross site request forgery and action a task without the correct authorisation...

3.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/02/26 12:9 a.m.•19 views

XSRF - complete task request omits atl-token

Potential XSRF vulnerability in tasks. No atl-token is present in the request to complete a task which suggests an attacker may be able to craft a cross site request forgery and action a task without the correct authorisation...

3.4AI score
Exploits0
Atlassian
Atlassian
•added 2015/01/23 5:27 a.m.•19 views

Drop SSlv3 retry and copied CustomSSLProtocolSocketFactory.java from SAL

The fix for CONF-24035 introduced a retry with SSLv3 if a connection fails. However, like workaround implemented in SAL-203 there is no need to retry with SSLv3 - instead enabling TLSv1.1 or higher will address the issue. The issue is actually caused by java not following the TLS rfc. When TLSv1....

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/01/23 5:27 a.m.•19 views

Drop SSlv3 retry and copied CustomSSLProtocolSocketFactory.java from SAL

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-36250. panel The fix for CONF-24035 introduced a retry with SSLv3 if a connection fails. However, like workaround implemented i...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/01/06 2:10 a.m.•19 views

Request access to this page. userFullName can be modified.

Steps to reproduce: 1.-Create a page and grant permissions only for you 2.-Modify this url to point to your pageId https://extranet.atlassian.com/pages/viewpage.action?pageId=XXXXXXX&username=scia&userFullName=Scott%2BFarquhar&grantAccess=true 3.- You will be asked to grant Scott Farquhar...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/12/16 12:2 a.m.•19 views

OGNL Double Evaluation Vulnerability

We have discovered and fixed a vulnerability in our fork of WebWork. Attackers can use this vulnerability to execute Java code of their choice on systems that use this framework. The attacker needs to be able to access the FishEye web interface. All versions of FishEye up to and including 3.6.1 a...

2AI score
Exploits0
Atlassian
Atlassian
•added 2014/10/30 9:18 a.m.•19 views

After disable SSL 3.0 (cause of Poodle) Jira doesn't work

After following this description: https://confluence.atlassian.com/display/JIRA/How+To+Disable+SSLv3+to+Mitigate+Against+POODLE+Exploit+for+JIRA?focusedCommentId=683541348&comment-683541348 Jira doesnt work anymore. Our default server.xml contains following: scheme="https" secure="true"...

7.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/10/27 10:1 p.m.•19 views

HTML does not render in Project Description

If you enter HTML into the project description it does not get rendered. Reproduced this on a clean 6.3.8 instance. Looks like this has happened in the past: https://jira.atlassian.com/browse/JRA-20032 https://jira.atlassian.com/browse/JRA-15906 Regression? Or possibly a different root cause?...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/10/27 10:1 p.m.•19 views

HTML does not render in Project Description

If you enter HTML into the project description it does not get rendered. Reproduced this on a clean 6.3.8 instance. Looks like this has happened in the past: https://jira.atlassian.com/browse/JRA-20032 https://jira.atlassian.com/browse/JRA-15906 Regression? Or possibly a different root cause?...

0.4AI score
Exploits0
Total number of security vulnerabilities4295