4295 matches found
UploadAttachmentsAction XSRF
The UploadAttachmentsAction action is declared to use a validatingStack interceptor chain, but does not use the RequiresSecurityToken element, leaving it open to an XSRF attack. If this were exploited, an attacker could force a user’s browser to upload files into a space they have write permissio...
JIRA REST API makes it easy to harvest email addresses
The JIRA REST API makes it easy to harvest email addresses as an anonymous user. 1. Go to https://jira.atlassian.com/browseJRA-22053 as anonymous. Note that you can't extract email addresses from this page unless the user has used an email address as her username. 2. Now go to...
File Attachment persistent XSS
There is a persistent XSS vulnerability in the attachment download functionality of Confluence. By uploading a malicious executable file type like SVG scalable vector graphics with embedded JavaScript, it’s possible for an attacker to execute arbitrary code under the context of the logged in user...
Persistent xss within build and plan labels
Labels are not escaped when rendered in several resources and so are a persistent xss vector. Some example resources where this can be seen include: plan configuration, plan viewing, http://$host/bamboo/build/label/viewLabels.action and allPlans.action as filter options. An example label which ca...
persistent xss in a user's username within mentions within comments
A user's username is injected into the "rel" attribute of the user mention link without being encoded properly. This means that if the username contains a " character then new attributes can be injected into the user mention link element. Hence, providing a persistent xss vector. To reproduce thi...
Information disclosure in REST API
REST endpoints to search groups and to list issue resolutions allow anonymous/unauthenticated access. The former allows to enumerate all groups on a JIRA instance by sending multiple queries as results are limited by jira.ajax.autocomplete.limit. We've verified this on an instance without any...
Provide HTTP headers for the content that absolutely must not be cached on the client
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-29598. panel We have to provide the following HTTP headers in all responses containing sensitive content: Cache-control: no-store Pragma:...
There is a reflected xss flaw in the settings.action of dailysummary settings.action.
There is a reflected xss flaw in the settings.action of dailysummary settings.action as the username parameter is not html encoded before being rendered on the page. Here is an example of a reflected xss it adds a picture of a lolcat to the page...
Persistent xss flaw in the revision history (of comments).
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-47387. panel Whilst a comment is html encoded /sanitized when displayed within an answer to a question the revision history pag...
Password Reset doesn't recognise spaces in usernames
When I enter my new password and submit the page, it responds with a message about the username 'philip', but my username is 'philip widan'. There was a similar issue with the Bonfire plugin, which required an upgrade to JIRA v5 to resolve. The URL I clicked on to get to the password reset page...
Several REST interfaces vulnerable to XSRF
Several REST web services are vulnerable to XSRF|https://www.owasp.org/index.php/Cross-SiteRequestForgeryCSRF, allowing malicious web pages to execute them under the context of a logged in users browser. It's understood that JIRA REST interfaces are typically protected against XSRF based on the...
Javascript escape the value of "dark features" within the javascript context they are rendered out in
Current user specific dark feature values are not javascript escaped in the javascript context they exist in. e.g. the value "' + evalalert1 ' +" without the double quotes appears like the following in the feature javascript context: / Dark features are features that can enabled and disabled per...
ConsumerConfigurationServlet Open Redirect
The ConsumerConfigurationServlet servlet has an open redirect vulnerability in the doGet method that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated...
AddConsumerReciprocalServlet Open Redirect
The AddConsumerReciprocalServlet servlet has an open redirect vulnerability in the doGet method that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated...
CSRF in the "configure custom field" Multi Checkboxes add new custom field option screen
The administration screen which facilitates the addition of new custom field options is vulnerable to csrf, as it does not check that the atltoken submitted is in fact legitimate for the user submitting it you can put in any value for the token field. To access this screen you can go to a url...
admin/fixCaseInSpacePermissions.jsp lacks an XSRF token to 'fix the case of your space permissions'
admin/fixCaseInSpacePermissions.jsp does not require a csrf token to 'fix the case of your space permissions'. When fixing this issue, please ensure that the JSP is converted to an action or deleted - we don't want to have to maintain our XSRF infrastructure in JSPs...
restructureattachments.jsp Triggering off a Restructure job lacks an XSRF token
In restructureattachments.jsp Triggering off a Restructure job does not require a csrf token. To trigger it just send a POST to the page with the following post data: 'action:Restructure'. When fixing this issue, please ensure that the JSP is converted to an action or deleted - we don't want to...
XML Vulnerability in Confluence
We have identified and fixed a vulnerability in Confluence that results from the way third-party XML parsers are used in Confluence. This vulnerability allows an attacker to: Execute denial of service attacks against the Confluence server, or Read all local files readable to the system user under...
Improve the default SSL cipherset in standalone JIRA setup
We are concerned about 'SSL Weak Cipher Suites Supported' and 'SSL Medium Strength Cipher Suites Suppored'. Any suggestions would be helpful...
XML Vulnerability in Crowd
We have identified and fixed a vulnerability in Crowd that results from the way XML parsers are used. This vulnerability allows an attacker to: Execute denial of service attacks against the Crowd server, or Read all local files readable to the system user under which Crowd runs. All versions of...
XSS Vulnerabilities in JIRA Attachments?
At the current moment, JIRA do not have any restrictions for attachment files, which allows users to upload malicious file into JIRA issues. This can be a problem when we open an attachments using Mozilla Firefox, since the browser allows us to open attachments using web browser. The steps to...
LogToServer action lets anyone log messages to the server log
Available without authentication. This can be used to hide breakin attempts or fill the disk if no log rotation is in place...
Provide an abstract Seraph authenticator for SSO authenticators to subclass that reduces the plumbing code required to interact with Embedded Crowd
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-24358. panel This is currently the most comprehensive version I have so far compiled of the code a custom SSO authenticator for...
Do not show registered users in quick search to anonymous users
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-23985. panel Registered users appears in quick search, even when it's a search made by anonymous...
Issue key can be enumerated - Resolve Issue Feature
Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to horizontal privilege elevation attacks within the Resolve Issue feature, accessible through the given address:...
Issue key can be enumerated - Resolve Issue Feature
Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to horizontal privilege elevation attacks within the Resolve Issue feature, accessible through the given address:...
XSS vulnerability in /admin/chooseBuildsToMove.action resource
We have identified and fixed a reflected cross-site scripting XSS vulnerability in the Bamboo chooseBuildsToMove resource. This issue is reported in our security advisory on this page: https://confluence.atlassian.com/x/rQP5FQ You can read more about XSS attacks at:...
Make captcha harder, or allow configuration of captcha difficulty, in order to prevent sophisticated spam attacks
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-22700. panel Every day we get a load of automated anonymous comment spam on our confluence pages. It seems that the captcha is...
XSS Vulnerability in Issue Links and Labels
We have identified and fixed a number of cross-site scripting XSS vulnerabilities in JIRA issue links and labels. Affected versions are 4.2.x to 4.3.x XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a JIRA page. You can read more about XSS attacks at various...
XSRF vulnerability in the Social Bookmarking plugin
We have identified and fixed a cross-site request forgery XSRF vulnerability which may affect Confluence instances in a public environment. The XSRF vulnerability is exposed in the Confluence Social Bookmarking plugin. Note that the Social Bookmarking plugin is disabled by default. If you do not...
HTML file type attachments are automatically rendered in IE.
h1. Steps to reproduce Create following HTML file and upload to any of Confluence page. code alert"Cookie: " + document.cookie; code Open the file on Internet Explorer 7. Then, you will see the javascript in that HTML file executed automatically. Issue happens with IE9,8,7 with Confluence 3.5...
HTML file type attachments are automatically rendered in IE.
h1. Steps to reproduce Create following HTML file and upload to any of Confluence page. code alert"Cookie: " + document.cookie; code Open the file on Internet Explorer 7. Then, you will see the javascript in that HTML file executed automatically. Issue happens with IE9,8,7 with Confluence 3.5...
XSS vulnerability in doeditmysettings.action
This vulnerability affects all versions from 3.5 and above. We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence settings editing action. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more...
As a developer or release manager I want to be able to create and manage versions in JIRA without having to be given project admin permissions
Currently JIRA only allows a user to create, release and generally manage versions in a project if the user is a project admin. However there are numerous use cases where developers, release managers, project managers, etc. need to be able to perform this function but don't need full admin rights...
XSS vulnerability in Crucible changeset comments in search results
We have identified and fixed a cross-site scripting XSS vulnerability in the Crucible changeset comments in search results. Affected versions are Crucible 2.3.0 to 2.5.0 inclusive. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye/Crucible page. You ca...
XSS vulnerability in Crucible Author Mapping
We have identified and fixed a cross-site scripting XSS vulnerability in the Crucible Author Mapping. Affected versions are Crucible 2.4.5 to 2.5.0 inclusive. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye/Crucible page. You can read more about XSS...
XSS vulnerability in Crucible's Snippets
We have identified and fixed a cross-site scripting XSS vulnerability in the Crucible Snippets. Affected versions are Crucible 2.4.5 to 2.5.0 inclusive. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye/Crucible page. You can read more about XSS attack...
Remember Me filter not working for FishEye/Crucible
The current implementation of the FishEye filter still require that the Remember Me cookie have the encrypted credentials for the user, what is no longer true as that pose a major security vulnerability. The filter should rely on the JIRA Remember Me funcionality. If the user logged in using the...
XSS vulnerability in the action links of Confluence's attachments lists.
We have identified and fixed a cross-site scripting XSS vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about...
Add warning to Shared Dashboards explaining consequence of 'everyone'
In JRA-22207, a warning was added to the "Shared Filters" page explaining what "Everyone" actually means. The "Shared Dashboards" screen also needs this warning. Please also search in the code for anywhere else this permissions-setting control is used...
XSS vulnerability in Global Reports macro
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence global-reports macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...
Wrong HTTP response codes leak information
There are some resources exposed in FeCru where depending on their existence user may get 403 or 404 http response code depending on the existence of the resource. Because the permission check is done earlier than existence check, server may leak the existence of particular resource to the...
Wrong HTTP response codes leak information
There are some resources exposed in FeCru where depending on their existence user may get 403 or 404 http response code depending on the existence of the resource. Because the permission check is done earlier than existence check, server may leak the existence of particular resource to the...
Patches for XSS / XSRF vulnerabilities
We have identified and fixed vulnerabilities in JIRA 4.2 which will allow an attacker to invoke XSS Cross Site Scripting attacks and/or Cross Site Request Forgery XSRF attacks. Full details of the severity, risks and vulnerabilities can be found in the JIRA Security Advisory...
Page view restriction is not inheriting to child pages in some spaces
When a new page is created using the create-page macro the child page does not have restrictions inherited. This is only happening for a few spaces. If I try the same macro in another space it will work fine. I have rebuilt the ancestors table but this issue is still happening. Please advise...
restrict the access to JIRA for specific pairs "user account - host"
to be able to restrict the access to JIRA for specific pairs "user account - host" also to provide: 1. specify checkbox user account - "any host" 2. specify multiple hosts for one user account 3. to use Windows AD containers such distribution groups and computer groups in tool of the coding of...
Potential attack vector using attachments
Suspicious handling of attachment uploads with filenames containing quotes the quoted ended up being repeated and semicolons semicolon and all subsequent characters were stripped from filename...
XSRF vulnerability in the Mail Page plugin
We have identified and fixed a cross-site request forgery XSRF vulnerability which may affect Confluence instances in a public environment. The XSRF vulnerability is exposed in the Confluence Mail Page plugin. Note that the Mail Page plugin is disabled by default. If you do not have this plugin...
Confluence should not allow configuration of Office Connector temporary storage location
Earlier versions of Confluence allow the administrator to set the temporary storage location for the View File macro, part of the Office Connector. Provided an attacker has gained administrative access to the system in some way, they could then exploit this vulnerability to save malicious files...
NullPointerException when there are no cookies and AccessLogRequestInfo is enabled
When using the filter-list and project-list plugins I ran into an issue where NullPointerExceptions were being thrown. I turned out the issue is in AccessLogRequestInfo when the Cookie header doesn't exists. The line that causes the exception is a log.debug line. I am including a patch that check...