Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
•added 2011/04/21 1:16 a.m.•19 views

XSS vulnerability in Crucible's Snippets

We have identified and fixed a cross-site scripting XSS vulnerability in the Crucible Snippets. Affected versions are Crucible 2.4.5 to 2.5.0 inclusive. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye/Crucible page. You can read more about XSS attack...

Exploits0
Atlassian
Atlassian
•added 2011/02/22 9:55 p.m.•19 views

Remember Me filter not working for FishEye/Crucible

The current implementation of the FishEye filter still require that the Remember Me cookie have the encrypted credentials for the user, what is no longer true as that pose a major security vulnerability. The filter should rely on the JIRA Remember Me funcionality. If the user logged in using the...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/02/15 12:5 p.m.•19 views

Ability to perform a bulk random password reset for users per project

Would like to have the ability to perform a bulk password reset on user accounts for any particular JIRA project. Have recently received a request from a customer to perform this operation on their project. I did raise a support call JSP-73240 and was recommended to raise a New Feature Request...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/02/03 11:20 p.m.•19 views

XSS vulnerability in the action links of Confluence's attachments lists.

We have identified and fixed a cross-site scripting XSS vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/12/30 3:6 a.m.•19 views

Add warning to Shared Dashboards explaining consequence of 'everyone'

In JRA-22207, a warning was added to the "Shared Filters" page explaining what "Everyone" actually means. The "Shared Dashboards" screen also needs this warning. Please also search in the code for anywhere else this permissions-setting control is used...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/12/03 2:26 a.m.•19 views

XSS vulnerability in Global Reports macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence global-reports macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...

5.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/10/19 12:33 a.m.•19 views

Wrong HTTP response codes leak information

There are some resources exposed in FeCru where depending on their existence user may get 403 or 404 http response code depending on the existence of the resource. Because the permission check is done earlier than existence check, server may leak the existence of particular resource to the...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/10/19 12:33 a.m.•19 views

Wrong HTTP response codes leak information

There are some resources exposed in FeCru where depending on their existence user may get 403 or 404 http response code depending on the existence of the resource. Because the permission check is done earlier than existence check, server may leak the existence of particular resource to the...

7AI score
Exploits0
Atlassian
Atlassian
•added 2010/10/12 1:7 a.m.•19 views

Patches for XSS / XSRF vulnerabilities

We have identified and fixed vulnerabilities in JIRA 4.2 which will allow an attacker to invoke XSS Cross Site Scripting attacks and/or Cross Site Request Forgery XSRF attacks. Full details of the severity, risks and vulnerabilities can be found in the JIRA Security Advisory...

1.6AI score
Exploits0
Atlassian
Atlassian
•added 2010/09/22 6:18 p.m.•19 views

Page view restriction is not inheriting to child pages in some spaces

When a new page is created using the create-page macro the child page does not have restrictions inherited. This is only happening for a few spaces. If I try the same macro in another space it will work fine. I have rebuilt the ancestors table but this issue is still happening. Please advise...

2.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/09/16 1:30 p.m.•19 views

Can't set visibility on comment created via Activity Stream Gadget

I can't restrict the visibility of an comment created via the activity stream gadget. In our environment it is important for us to have this feature available everywhere where users are able to create comments on issues...

4.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/09/06 4:33 a.m.•19 views

Potential attack vector using attachments

Suspicious handling of attachment uploads with filenames containing quotes the quoted ended up being repeated and semicolons semicolon and all subsequent characters were stripped from filename...

3AI score
Exploits0
Atlassian
Atlassian
•added 2010/08/25 2:4 a.m.•19 views

XSRF vulnerability in the Mail Page plugin

We have identified and fixed a cross-site request forgery XSRF vulnerability which may affect Confluence instances in a public environment. The XSRF vulnerability is exposed in the Confluence Mail Page plugin. Note that the Mail Page plugin is disabled by default. If you do not have this plugin...

6.8AI score
Exploits0
Atlassian
Atlassian
•added 2010/08/25 1:48 a.m.•19 views

Confluence should not allow configuration of Office Connector temporary storage location

Earlier versions of Confluence allow the administrator to set the temporary storage location for the View File macro, part of the Office Connector. Provided an attacker has gained administrative access to the system in some way, they could then exploit this vulnerability to save malicious files...

1.2AI score
Exploits0
Atlassian
Atlassian
•added 2010/08/06 1:53 a.m.•19 views

Replace unsafe text gadget and add to JIRA Cloud

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-21965. panel panel:title=Atlassian Update - 23 April 2015|borderStyle=solid|borderColor=ebf2f9|titleBGColor=ebf2f9|bgColor=ffffff Hi everyon...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/07/28 4:42 p.m.•19 views

NullPointerException when there are no cookies and AccessLogRequestInfo is enabled

When using the filter-list and project-list plugins I ran into an issue where NullPointerExceptions were being thrown. I turned out the issue is in AccessLogRequestInfo when the Cookie header doesn't exists. The line that causes the exception is a log.debug line. I am including a patch that check...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/05/20 3:13 a.m.•19 views

Pluggable CAPTCHA

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-21359. panel CAPTCHA should be pluggable in JIRA CAPTCHA|http://en.wikipedia.org/wiki/CAPTCHA is supposed to stop spam and other automated...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/05/20 3:2 a.m.•19 views

Password strength measurement and restriction

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-21358. panel Enable password strength rules to tell the user the effective strength of the password they choose optionally allow administrato...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/22 5:52 a.m.•19 views

XSS vulnerability in some JSPs under admin section

Several JSPs found under the admin section of Confluence have been found to be vulnerable to XSS attacks. This issue corrects those problems. This issue is rated HIGH. Please refer to http://confluence.atlassian.com/x/ZILmD for information on other security related issues and more information on...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/22 5:28 a.m.•19 views

Only strings are encoded

The XML encoder only encodes strings. This could make Confluence return non encoded content. This issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for more security related issue and more information on how we rate issues...

0.3AI score
Exploits0
Atlassian
Atlassian
•added 2010/04/22 1:19 a.m.•19 views

Mail support request accepts any e-mail address

The SupportUtility allows the user to enter an arbitrary e-mail address to send a copy of the e-mail to. This issue removes the option for users to enter an e-mail address to CC. This issue also introduces a flag that prevents the TO address from being changed through the web interface. By defaul...

0.2AI score
Exploits0
Atlassian
Atlassian
•added 2010/04/22 1:7 a.m.•19 views

Anonymise config files in support zip

Files included in the generated zip file could contain private information. This issue addresses that by removing all sensitive information before creating the zip. The severity of this issue is HIGH. Please see http://confluence.atlassian.com/x/ZILmD for other security related issues and...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/22 1:3 a.m.•19 views

Not all error strings are encoded

A XSS vulnerability where a string could bypass the Anti-XSS mechanism has been identified. This issue corrects this problem. The severity of this issue is rated as LOW. Please see http://confluence.atlassian.com/x/ZILmD for information on other security related issues and our rating system...

0.4AI score
Exploits0
Atlassian
Atlassian
•added 2010/04/22 12:49 a.m.•19 views

XSS vulnerability in Colour Scheme settings

An XSS vulnerability has been discovered in the Colour Scheme settings. The severity of this issue is rated as HIGH. Please refer to the security advisory http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-04-x for details...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/22 12:49 a.m.•19 views

XSS vulnerability in Colour Scheme settings

An XSS vulnerability has been discovered in the Colour Scheme settings. The severity of this issue is rated as HIGH. Please refer to the security advisory http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-04-x for details...

0.2AI score
Exploits0
Atlassian
Atlassian
•added 2010/04/22 12:37 a.m.•19 views

XSS vulnerability in search

An XSS vulnerability has been found in the searching component of Confluence...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/22 12:36 a.m.•19 views

XSS Bookmark vulnerabilities

The Add bookmark page is vulnerable to XSS attacks...

1.9AI score
Exploits0
Atlassian
Atlassian
•added 2010/04/19 3:11 a.m.•19 views

brute force password attack protection by default

We have added an upgrade task to set jira.maximum.authentication.attempts.allowed=5 on all instances even if they previous had set it to something else. This is to ensure that systems are more safe by default...

2.4AI score
Exploits0
Atlassian
Atlassian
•added 2010/04/19 12:57 a.m.•19 views

Brute force protection on JIRA 4.1 leaks valid account names

The brute force login protection in JIRA only activates when a real user account is accessed. This can be used by an attacker to harvest a list of valid logins on the system. The brute force login protection should activate when either the login or the password is wrong...

2.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/16 4:36 a.m.•19 views

runportleterror.jsp contains XSS hole

The runportleterror.jsp contains an XSS attach vector via the unescaped 'portletKey' URL parameter. The parameter should be escaped properly...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/03/16 1:0 a.m.•19 views

Custom fileds inconsistently escaped in view and edit screens

Steps to replicate: Create a custom field and name it Hithere On view issue screens, the field appears as Hithere On edit issue screen, the field appears as Hithere on red font I guess we need to make a decision on which one is the desired functionality allow HTML or not and make it consistent...

0.7AI score
Exploits0
Atlassian
Atlassian
•added 2010/02/26 5:40 a.m.•19 views

A link to Re-Indexing is visible to users even if they are not sys admin

I saw this on EACJ where I am not a sys admin quote XXXX made configuration changes in section 'Custom Fields' at 01/Feb/10 1:16 PM. It is recommended that you perform a re-index. For more information, please click the Help icon. To perform the re-index now, please go to the 'Indexing' section...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/01/13 10:17 a.m.•19 views

Include XSS security warning on HTML macro description in Wiki Markup Renderer

Include XSS security warning on HTML macro description in Wiki Markup Renderer. Derived from JRA-19802...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/12/23 2:27 a.m.•19 views

Randomised password not sent in email

When creating a user with password normally, the notification email to that new user will contain the password. However creating a new user and leave the password blank, JIRA randomly generates a password for that user, but the randomised password "is not sent" in the notification email to that...

Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/12/10 6:55 p.m.•19 views

Remove database passwords from the file system.

Currently if you connect Jira to an external database, you must store the database credentials on the file system either in the server.xml file Jira standalone, or in an equivalent file. This has security implications. Can we modify the application to not store this information on the file system...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/12/02 4:10 a.m.•19 views

User's Full Name is an XSS vector in Status Updates tab of User Profile

A user's full name is an XSS vector when viewing the "Status Updates" tab of the user profile. 1 Set a user's Full Name as "alertdocument.cookie". 2 Log out. 3 If anonymous access is disabled, log in as a different user, otherwise, continue as Anonymous. 4 Go to the profile page for the user...

0.3AI score
Exploits0
Atlassian
Atlassian
•added 2009/11/02 4:19 a.m.•19 views

deleted page is still accessible in Confluence when accessing via viewpage.action?pageId in the url

Deleted pages can still be accessed in Confluence when one enters their pageId in the url. For example: noformat http://confluence.atlassian.com/pages/viewpage.action?pageId=196837485 http://confluence.atlassian.com/display/CONFKB/Office+Connector noformat The links above are referring to the sam...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/11/02 4:19 a.m.•19 views

deleted page is still accessible in Confluence when accessing via viewpage.action?pageId in the url

Deleted pages can still be accessed in Confluence when one enters their pageId in the url. For example: noformat http://confluence.atlassian.com/pages/viewpage.action?pageId=196837485 http://confluence.atlassian.com/display/CONFKB/Office+Connector noformat The links above are referring to the sam...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/10/21 1:33 a.m.•19 views

Confluence users should inherit permissions from the anonymous user

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-17278. panel This has been derived from CONF-4955|http://jira.atlassian.com/browse/CONF-4955. The above seems to have been fixed...

3.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/08/26 1:55 p.m.•19 views

Add a password lockout feature

Confluence does not prevent someone from making a script that tries every possible password combination for a Confluence account. There should be an option to set a max attempts and then lock out the user from the system. This is obviously a security problem as Confluence within most companies us...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/07/31 6:6 a.m.•19 views

JQL not respecting Issue Security Level "Project Lead"

While writing TestIssueSecurityLevel I found the following problem: fred is not a Project Lead HSP-3 has Issue Security Level of "Project Lead" only. empty JQL to show all visible issues doesn't show HSP-3. make fred the Project Lead same query: still no HSP-3 however: fred can browse to HSP-3 an...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/07/30 4:4 a.m.•19 views

Upgrade to the latest version of Seraph and Trusted Applications library

Andreas needs to make some improvements to trusted-application behaviour for Gadgets. In order to do this, we need to first get onto the latest version of Seraph where Trusted Applications is split out into a separate library. Also, the new version of Seraph uses a version of oscore library|SER-1...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/06/26 2:5 a.m.•19 views

XSS in PDF screen

The "PDF Export Stylesheet" field is not encoded...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/06/18 6:38 a.m.•19 views

XSS vulnerability in space name when page move would create a duplicate

Create a space called alert"XSS"; Find a page named 'Home' in a different space Move this page, choosing the previously created space as the destination The move will fail due to the duplicate page name, and the script will be run...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/06/03 7:28 a.m.•19 views

XSS vulnerability when moving page between spaces

You can create a space with HTML in the name. In most places this space name is correctly encoded however in the tree component given when you chose to move a page the destination space is name is not encoded properly. To reproduce. 1 Create a space called alert"Howdy"; 2 Create a page in another...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/05/29 4:14 a.m.•19 views

XSS in user links

A user with username "alert"foo" that is linked to via \username markup results in script being executed. Curiously, viewing the space homepage of that user results in a blank page. This of course is prevented for public signup, but if the user gets created via other means, i.e. external user...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/05/21 8:5 a.m.•19 views

Viewfile macros do not respect page restrictions

Add a page Set viewing restrictions to user1 only Add an attachment - 'Sample.doc' Log in as user2 - confirm that you cannot see the restricted page Add a page, and use the viewfile macro Enter the location of the attachment on the restricted page The contents of the attachment can now be viewed ...

2.1AI score
Exploits0
Atlassian
Atlassian
•added 2009/05/15 10:52 a.m.•19 views

Encrypted passwords in osuser.xml

We need to set a crypted password instead plain text password in java.naming.security.credentials within osuser.xml...

2.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/03/19 4:38 p.m.•19 views

Bright Cove User Macro-Cross-site script

Our e-security found the following error after they scanned the Bright Cove User Macro: Number System/Location Defect Type Status R4 Bright Cove User Macro Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies,...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/03/12 7:47 a.m.•19 views

JIRA build information not included in dummy XML responses to search filter requests which users do not have access to

The build-info element is missing from the response to search filter XML requests. noformat https://support.atlassian.com/sr/jira.issueviews:searchrequest-xml/10593/SearchRequest-10593.xml?tempMax=100 noformat Happens if the user does not have access to the filter. See also...

1AI score
Exploits0
Total number of security vulnerabilities4295