4295 matches found
Not all error strings are encoded
A XSS vulnerability where a string could bypass the Anti-XSS mechanism has been identified. This issue corrects this problem. The severity of this issue is rated as LOW. Please see http://confluence.atlassian.com/x/ZILmD for information on other security related issues and our rating system...
XSS vulnerability in Colour Scheme settings
An XSS vulnerability has been discovered in the Colour Scheme settings. The severity of this issue is rated as HIGH. Please refer to the security advisory http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-04-x for details...
XSS vulnerability in Colour Scheme settings
An XSS vulnerability has been discovered in the Colour Scheme settings. The severity of this issue is rated as HIGH. Please refer to the security advisory http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-04-x for details...
XSS vulnerability in search
An XSS vulnerability has been found in the searching component of Confluence...
brute force password attack protection by default
We have added an upgrade task to set jira.maximum.authentication.attempts.allowed=5 on all instances even if they previous had set it to something else. This is to ensure that systems are more safe by default...
Brute force protection on JIRA 4.1 leaks valid account names
The brute force login protection in JIRA only activates when a real user account is accessed. This can be used by an attacker to harvest a list of valid logins on the system. The brute force login protection should activate when either the login or the password is wrong...
XSS Vulnerabilities in JIRA
panel:borderColor=ff0000|borderStyle=solid|bgColor=ffccccWarning: This issue is superceded by JRA-21004. Please install the patches on that issue, rather than this one. For more details, see JIRA Security Advisory -...
Allow non-Administrators to be able to modify workflows
As an IT Manager, by having to add users to the Administrators group in order to edit and manage workflows is prohibitive to the administration and security of our Jira environment. While I want users to create, manage and edit workflows, I do NOT want them creating or modifying accounts which...
xss vulnerability in issuelinksmall.jsp
Thanks to NASA / JPL for discovering this: Cross-Site Scripting XSS related to http://oursite/jira/includes/snippets/issuelinksmall.jsp?%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E=has...
Custom fileds inconsistently escaped in view and edit screens
Steps to replicate: Create a custom field and name it Hithere On view issue screens, the field appears as Hithere On edit issue screen, the field appears as Hithere on red font I guess we need to make a decision on which one is the desired functionality allow HTML or not and make it consistent...
A link to Re-Indexing is visible to users even if they are not sys admin
I saw this on EACJ where I am not a sys admin quote XXXX made configuration changes in section 'Custom Fields' at 01/Feb/10 1:16 PM. It is recommended that you perform a re-index. For more information, please click the Help icon. To perform the re-index now, please go to the 'Indexing' section...
Include XSS security warning on HTML macro description in Wiki Markup Renderer
Include XSS security warning on HTML macro description in Wiki Markup Renderer. Derived from JRA-19802...
Remove database passwords from the file system.
Currently if you connect Jira to an external database, you must store the database credentials on the file system either in the server.xml file Jira standalone, or in an equivalent file. This has security implications. Can we modify the application to not store this information on the file system...
User's Full Name is an XSS vector in Status Updates tab of User Profile
A user's full name is an XSS vector when viewing the "Status Updates" tab of the user profile. 1 Set a user's Full Name as "alertdocument.cookie". 2 Log out. 3 If anonymous access is disabled, log in as a different user, otherwise, continue as Anonymous. 4 Go to the profile page for the user...
deleted page is still accessible in Confluence when accessing via viewpage.action?pageId in the url
Deleted pages can still be accessed in Confluence when one enters their pageId in the url. For example: noformat http://confluence.atlassian.com/pages/viewpage.action?pageId=196837485 http://confluence.atlassian.com/display/CONFKB/Office+Connector noformat The links above are referring to the sam...
JQL not respecting Issue Security Level "Project Lead"
While writing TestIssueSecurityLevel I found the following problem: fred is not a Project Lead HSP-3 has Issue Security Level of "Project Lead" only. empty JQL to show all visible issues doesn't show HSP-3. make fred the Project Lead same query: still no HSP-3 however: fred can browse to HSP-3 an...
JIRA should trust itself by default.
Upgrade Seraph and Trusted apps to 2.0.1/2.1. If the CurrentApplication implements TrustedApplication then return it if it is asked for by id...
XSS in PDF screen
The "PDF Export Stylesheet" field is not encoded...
XSS vulnerability in space name when page move would create a duplicate
Create a space called alert"XSS"; Find a page named 'Home' in a different space Move this page, choosing the previously created space as the destination The move will fail due to the duplicate page name, and the script will be run...
XSS vulnerability when moving page between spaces
You can create a space with HTML in the name. In most places this space name is correctly encoded however in the tree component given when you chose to move a page the destination space is name is not encoded properly. To reproduce. 1 Create a space called alert"Howdy"; 2 Create a page in another...
XSS in user links
A user with username "alert"foo" that is linked to via \username markup results in script being executed. Curiously, viewing the space homepage of that user results in a blank page. This of course is prevented for public signup, but if the user gets created via other means, i.e. external user...
Viewfile macros do not respect page restrictions
Add a page Set viewing restrictions to user1 only Add an attachment - 'Sample.doc' Log in as user2 - confirm that you cannot see the restricted page Add a page, and use the viewfile macro Enter the location of the attachment on the restricted page The contents of the attachment can now be viewed ...
Encrypted passwords in osuser.xml
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-17317. panel We need to set a crypted password instead plain text password in java.naming.security.credentials within osuser.xml...
Encrypted passwords in osuser.xml
We need to set a crypted password instead plain text password in java.naming.security.credentials within osuser.xml...
Bright Cove User Macro-Cross-site script
Our e-security found the following error after they scanned the Bright Cove User Macro: Number System/Location Defect Type Status R4 Bright Cove User Macro Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies,...
JIRA build information not included in dummy XML responses to search filter requests which users do not have access to
The build-info element is missing from the response to search filter XML requests. noformat https://support.atlassian.com/sr/jira.issueviews:searchrequest-xml/10593/SearchRequest-10593.xml?tempMax=100 noformat Happens if the user does not have access to the filter. See also...
Impropper sanitisation of attachment filenames allows header injection
An attacker can craft a specific attachment filename, or rename the file once it has been uploaded to introduce arbitrary headers into the response stream...
Seraph binary dosn't correspond to source distribution for JIRA 3.13.2
Try to stepover getUserHttpServletRequest request, HttpServletResponse response Also, if user is not resolved by session, why not to try resolve it from cookie...
XSS in the Widget Connector
I've been working with the widget connector today and reading through the code when I noticed that the media uris are not being handled securely. try this: widget:url=youtube.com/v="alert'xss' In general there is not a unified way to prevent issues like this in the widget extensions and it is up ...
XSS in the Widget Connector
I've been working with the widget connector today and reading through the code when I noticed that the media uris are not being handled securely. try this: widget:url=youtube.com/v="alert'xss' In general there is not a unified way to prevent issues like this in the widget extensions and it is up ...
Confluence displays ALL attachments when the following URL is viewed
i removed the space key from the URL for the normal space attachment viewing, and it displays all the attachments for all spaces in the install of Confluence, Irrispecitve of space and page level permission restrictions. For Example:...
Session must not be invalidated on logout
People ran into problems|http://forums.atlassian.com/thread.jspa?forumID=101&threadID=29965 because we started invalidating the session on logout in 2.9.2. They expect certain session attributes like the seraph LOGGEDOUTKEY to be present. This means we need to remove all session attributes except...
Confluence administrators (who are not necessarily sys admins) can configure whitelist
A user who has the "Confluence Administrator" permission, but not necessarily the "System Administrator" permission, can configure the new URL whitelist for the HTML-include and RSS macros. Is this good enough, from a security point of view?...
Restrict anonymous users from viewing user profiles.
Even if I start Confluence with -Dconfluence.disable.peopledirectory.anonymous=true, it is still possible to browse individual users by visiting a URL like https://wikiBaseUrl/display/accountName. This is a major security problem for us because it exposes: 1. The user's name 2. The user's ID 3. T...
XSS in pagetree plugin
The pagetree plugin is vulnerable for XSS injecting the code in the treeId field. Example below:...
default config values restored
This should be for 2.9.1 - this version was not yet available under "affects versions" when filing this bug. After updating from 2.9 to 2.9.1, most of my settings were overwritten by their default values. - public signup got enabled - the language changed back to english instead of german - e-mai...
XSS in site search action
http://confluence.atlassian.com/dosearchsite.action?where=confall&queryString=%3Cscript%3Ealert'foo';%3C/script%3E queryString needs to be escaped. This problem is fixed if they turn on Anti-XSS mode. We still need to fix this as anti-xss is not on by default...
Hidden pages' content can be viewed without permission using diffpages.action
If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL. EG: Two spaces A and B Page with id 1 is in Space A Page with id 2 is in Space B User cannot see Space A User can see Space ...
XSS using onerror
We had a user enter a viagra ad that actual redirected to their site. I think the offending code was here: although obviously they didn't use example.com I've attached the whole page for examination...
SSO credentials not used in IssueViewURLHandler
A customer has created a SSO plugin and are facing some specific issues in this context. When they click on the printable link of an issue i.e: http://jira/lodh/si/jira.issueviews:issue-html/ORGJIRA-13/ORGJIRA-13.html they get an error page indicating "the user myuser... doesn't exist..." They...
Users can move attachments to a space they have no permission for
Any user with permission to edit pages in a space can move attachments in that space to any page in Confluence. Eg: suppose we have a user named StandardUser who has permission to edit pages in GeneralSpace, but no permission to view or edit RestrictedSpace, which contains a page predictably name...
Change issue Security Level on Transition
We need a way to automatically change the Security Level of an issue when it is transitioned. Currently our project is has a default Security Level that only allows the assignee and management to see an issue, we would like to automatically open that issue up once it is fixed...
Change issue Security Level on Transition
We need a way to automatically change the Security Level of an issue when it is transitioned. Currently our project is has a default Security Level that only allows the assignee and management to see an issue, we would like to automatically open that issue up once it is fixed...
XSS vulnerability in social bookmarking plugin bundled in Confluence
The social bookmarking plugin is bundled in Confluence 2.7.x and Confluence 2.6.x. As such this vulnerability affects all 2.7.x and 2.6.x instances even if you do not use the plugin or do not have the Add Bookmark Web Item enabled. The updatebookmark.action URL is vulnerable on these parameters: ...
XSS vulnerability in pagepicker.action and spacepagepicker.action
The following URL's are vulnerable: - /users/pagepicker.action - /users/spacepagepicker.action on formname, fieldname and currentspace panel:bgColor=99ff99 h4. Patch instructions for 2.6.x and 2.7.x 1. Shut down Confluence 2. Copy attached pagepicker.vm to confluence/users/ 3. Start up Confluence...
Moving a subtask Issue Type will sometimes ask the user for a Security Level even though this value is inherited from the Parent Issue.
When you move a subtask from an Issue Type where Security Level is a hidden field, to one where Security Level is no longer hidden, the system can mistakenly ask the User for a new Security Level. This is only a minor issue, as then the subtask will not actually take on the chosen value - it will...
Security vulnerability with Dashboard spacesSelectedTab
Our security team has reported the following vulnerability, which must be resolved for us to use the application. Severity: High Test Type: Application Vulnerable URL: https://gforgewiki.nci.nih.gov/dashboard.action Parameter = spacesSelectedTab Remediation Tasks: Filter out hazardous characters...
Security vulnerability with Dashboard spacesSelectedTab
Our security team has reported the following vulnerability, which must be resolved for us to use the application. Severity: High Test Type: Application Vulnerable URL: https://gforgewiki.nci.nih.gov/dashboard.action Parameter = spacesSelectedTab Remediation Tasks: Filter out hazardous characters...
XSS vulnerability in recently updated and configure RSS feed actions
Our eSecurity team has identified a Cross Site Scripting issue with the confluence server as follows: Arbirtatry javascript can be injected in the following cases which can lead to escalated or invalid privileges being granted to an unauthorized user: 1...
Velocity does not automatically escape HTML entities when substituting variables
Velocity should automatically escape encode HTML entities in variables it interpolates in markup. This would remove the need for explicitly escaping variables using $generalUtil.htmlEncode, and fix lots of XSS bugs including ones we haven't discovered yet. This affects all versions of Confluence...