Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2008/06/04 1:58 a.m.19 views

SSO credentials not used in IssueViewURLHandler

A customer has created a SSO plugin and are facing some specific issues in this context. When they click on the printable link of an issue i.e: http://jira/lodh/si/jira.issueviews:issue-html/ORGJIRA-13/ORGJIRA-13.html they get an error page indicating "the user myuser... doesn't exist..." They...

7.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/04/04 4:21 p.m.19 views

Change issue Security Level on Transition

We need a way to automatically change the Security Level of an issue when it is transitioned. Currently our project is has a default Security Level that only allows the assignee and management to see an issue, we would like to automatically open that issue up once it is fixed...

2.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/04/04 4:21 p.m.19 views

Change issue Security Level on Transition

We need a way to automatically change the Security Level of an issue when it is transitioned. Currently our project is has a default Security Level that only allows the assignee and management to see an issue, we would like to automatically open that issue up once it is fixed...

2.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/17 5:0 a.m.19 views

XSS vulnerability in pagepicker.action and spacepagepicker.action

The following URL's are vulnerable: - /users/pagepicker.action - /users/spacepagepicker.action on formname, fieldname and currentspace panel:bgColor=99ff99 h4. Patch instructions for 2.6.x and 2.7.x 1. Shut down Confluence 2. Copy attached pagepicker.vm to confluence/users/ 3. Start up Confluence...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/01/10 3:35 a.m.19 views

Moving a subtask Issue Type will sometimes ask the user for a Security Level even though this value is inherited from the Parent Issue.

When you move a subtask from an Issue Type where Security Level is a hidden field, to one where Security Level is no longer hidden, the system can mistakenly ask the User for a new Security Level. This is only a minor issue, as then the subtask will not actually take on the chosen value - it will...

0.4AI score
Exploits0
Atlassian
Atlassian
added 2007/12/19 2:16 p.m.19 views

Security vulnerability with Dashboard spacesSelectedTab

Our security team has reported the following vulnerability, which must be resolved for us to use the application. Severity: High Test Type: Application Vulnerable URL: https://gforgewiki.nci.nih.gov/dashboard.action Parameter = spacesSelectedTab Remediation Tasks: Filter out hazardous characters...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/12/19 2:16 p.m.19 views

Security vulnerability with Dashboard spacesSelectedTab

Our security team has reported the following vulnerability, which must be resolved for us to use the application. Severity: High Test Type: Application Vulnerable URL: https://gforgewiki.nci.nih.gov/dashboard.action Parameter = spacesSelectedTab Remediation Tasks: Filter out hazardous characters...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/12/07 2:32 p.m.19 views

XSS vulnerability in recently updated and configure RSS feed actions

Our eSecurity team has identified a Cross Site Scripting issue with the confluence server as follows: Arbirtatry javascript can be injected in the following cases which can lead to escalated or invalid privileges being granted to an unauthorized user: 1...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/10/03 2:58 a.m.19 views

Velocity does not automatically escape HTML entities when substituting variables

Velocity should automatically escape encode HTML entities in variables it interpolates in markup. This would remove the need for explicitly escaping variables using $generalUtil.htmlEncode, and fix lots of XSS bugs including ones we haven't discovered yet. This affects all versions of Confluence...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/09/25 9:12 p.m.19 views

Cross-site scripting vulnerability in 500page.jsp

The test successfully embedded a script in the response, which will be executed once the page is loaded in the user's browser. This means that the application is vulnerable to the Cross-Site Scripting attack. The file 500page.jsp should escape the attributes and parameters to prevent code...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/09/11 2:10 p.m.19 views

Recently updated links for users with personal spaces link to profile if personal space is not accessible

Users without the global access right for personal space can still see links to personal spaces in the "Recently updated" list on their dashboard. This is a serious security problem for extranets, when one wants to prevent non anonymous external users to see who's using the wiki. Note: this probl...

1.5AI score
Exploits0
Atlassian
Atlassian
added 2007/08/31 4:13 a.m.19 views

Numerous XSS Type 2 vulnerabilities in macros bundled with Confluence

'd like to report critical vulnerabilities in 3 of your macros - Column, Image, Block and Code macros. The vulnerabilities are classified as XSS Type 2 stored and the details with example exploits are in the pdfs attached. Because of similarity of the vulnerabilities assume that it is more than...

6.6AI score
Exploits0
Atlassian
Atlassian
added 2007/08/28 5:57 a.m.19 views

Unwanted Access to File System via Import Pages Functionality

security vulnerability found in Confluence 2.5.6 Space administrator can use the "Import Pages from Disk" feature to browse the server file system by pointing the importer at "/" folder or any other folder. Because this folder doesn't contain expected files, an error message is displayed,...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/08/02 10:47 p.m.19 views

Max label limit can be passed by adding labels via ajax

For CONF-8978, limits were implemented on how many labels can be added in one submit by various "add label" screens, and how many labels can be set on an edit page/edit news screen. However, there is nothing to prevent extra labels being added by the "add label" screens beyond the number allowed ...

1.4AI score
Exploits0
Atlassian
Atlassian
added 2007/07/31 4:4 a.m.19 views

Remove the space-list from the 404-error-page to reduce load on server

The default 404 page shows a list of spaces. On a big, busy instance this can generate a lot of load. The query is run on every 404 which can happen multiple times on a request if there are some bad resources missing css/js etc. Perhaps there should be some sort of throttling or configuration to...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/23 11:52 a.m.19 views

XSS vulnerability at "Edit Space Permissions"

Description: XSS vulnerability at "Edit Space Permissions" page Exploit: Write to the "Grant permission to" field: "alertdocument.cookie"...

1.6AI score
Exploits0
Atlassian
Atlassian
added 2007/07/23 11:49 a.m.19 views

Vulnerability against DoS attack at permission setting

Description: This bug is similar like this one: http://jira.atlassian.com/browse/CONF-8978. Exploit: Insert to the "Grant permission to" field x thousand comma without sapce...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/19 12:41 p.m.19 views

XSS vulnerability in app/spaces/listattachmentforspace.action

Description: XSS via the "Filter By File Extension" field in app/spaces/listattachmentforspace.action. Exploit: blah"alertdocument.cookiex x="...

2.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/19 8:51 a.m.19 views

People Directory search can be misused to retrieve email addresses of all users

Even when email addresses should be hidden because of global settings, it is possible to retrieve email addresses of all the users in the system by misusing search in people directory. It seems that the email address is one of the attributes that are being indexed by the search engine. So if one...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/17 12:59 a.m.19 views

XSS vulnerability: space name and key not validated nor escaped

Email sent from Igor: quote The problem: The input for space name and key is not being validated properly. I created a JIRA for lacking length validation CONF-8894 and later on I noticed that any characters in the input for space name are allowed. Combine that with another batch of bugs - space...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/17 12:51 a.m.19 views

Create patch to CONF-8877 for Confluence 2.5.4

Since this is a major security issue we need to create patches for older versions...

2.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/04/13 1:58 a.m.19 views

Authentication via os_username and os_password URL params is broken

Logging in by specifying username/password in the URL like this: noformathttp://jira.atlassian.com/browse/XYZ-114?decorator=none&view=rss&osusername=LOGIN&ospassword=PASSWORDnoformat used to work. tested with JIRA 3.6.3 Now you get presented with an undecorated "not logged in" message. This issue...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/03/27 7:41 a.m.19 views

Deleting a custom field which has an issue security scheme or permission scheme on it does not update the index and issue navigator is out of date

emphasized textSimilar to JRA-12410 - deleting a custom field does not adequately clean up after itself. Specifically, affected issues are not reindexed so the updated security and permission aspects are not reflected in search results which is a security hole. Note that a naive fix may produce...

0.3AI score
Exploits0
Atlassian
Atlassian
added 2007/03/27 7:41 a.m.19 views

Deleting a custom field which has an issue security scheme or permission scheme on it does not update the index and issue navigator is out of date

Similar to JRA-12410 - deleting a custom field does not adequately clean up after itself. Specifically, affected issues are not reindexed so the updated security and permission aspects are not reflected in search results which is a security hole. Note that a naive fix may produce performance...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/01/10 3:32 a.m.19 views

XSS bug: usernames not HTML-encoded in all places

When signing up for an account, it is possible to enter a username like "fred". Confluence will accept this, and on certain pages, render it as raw HTML to the user, opening the possibility of cross-site scripting XSS attacks. Two places I've spotted the raw HTML so far: - Most prominently, when ...

5.9AI score
Exploits0
Atlassian
Atlassian
added 2006/11/29 8:6 a.m.19 views

Directory listing enabled on Tomcat

Tomcat has directory listing enabled by default. This allows browsing directories such as /images/. It seems that the filters do not take action in preventing the unauthorized access. When directory listing is disabled /conf/web.xml in Tomcat directory Jira gives 404 errors. See...

3.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2006/07/28 6:59 a.m.19 views

IP restrictions on admin rights

A security conscience evaluator has requested the option to restrict administration access to a range of / a specific IP address/es...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2006/04/15 10:2 a.m.19 views

Change a user's password remotely

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-9921. panel I would like to be able to change a user's password remotely. Suggested API and implementation as follows: codevoid...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/11/03 3:17 a.m.19 views

Project admin is presented with an option to select a Screen Scheme

The option of changing the scheme should only be given to the global admins...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2005/11/03 3:17 a.m.19 views

Project admin is presented with an option to select a Screen Scheme

The option of changing the scheme should only be given to the global admins...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/11/08 2:58 p.m.19 views

A page containing the rss-macro is not displayed if the requested rss-feed is "down"

A page containing the rss-feed macro is not shown if the requested rss-feed is "down" there's no response sent to the browser. It would certainly be better if the page could be displayed anyway; perhaps with a message stating that the feed contents can't be fetched...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/09/17 9:37 a.m.19 views

MoveIssue does not keep the security issue level after the move.

MoveIssue does not keep the security issue level after the move...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/04/01 11:52 a.m.19 views

Character not allowed in user name

A user has sign up with the user name "m&m". The i tried to modify this user. Because the username is passed as url parameter FooServlet?name=m&m : GET or POST method the servlet container cut the name and try to retreive the username named "m" !!! The only way is to use a database client, change...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/02/14 4:19 a.m.19 views

Applet certificate is not trusted.

You need to get a proper certificate for the applet - or else there will be some disquiet amongst some corporate users - and their IT Security overlords...

2AI score
Exploits0
Atlassian
Atlassian
added 2002/04/09 2:39 p.m.19 views

Asked to re-authenticate to delete issue

/jira/secure/DeleteIssue!default.jspa?id=10012 everything seems to work ok, but I try to delete previously existing issue and I get redirected to the URL above. instead of a delete issue page, I get a login page, only it looks messed up - it's the login form table miniwindow except spread 100%...

0.6AI score
Exploits0
Atlassian
Atlassian
added 2026/04/08 10:29 p.m.18 views

MITM (Man-in-the-Middle) xmlhttprequest Dependency in Jira Service Management Data Center

This is a vulnerability in a non-Atlassian Jira Service Management dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity MITM Man-in-the-Middle vulnerability was introduced in versions 11.1.0, 11.2.0, and 11.3.0 of Jira Service...

9.4CVSS7.2AI score0.02056EPSS
Exploits1
Atlassian
Atlassian
added 2026/03/06 5:28 a.m.18 views

File Inclusion node-tar Dependency in Jira Service Management Data Center

This High severity File Inclusion vulnerability was introduced in versions 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.1 of Jira Service Management Data Center. This File Inclusion vulnerability, with a CVSS Score of 8.2...

8.2CVSS6AI score0.00541EPSS
Exploits1
Atlassian
Atlassian
added 2026/02/11 6:28 p.m.18 views

DoS (Denial of Service) ua-parser-js Dependency in Jira Service Management Data Center and Server

This High severity DoS Denial of Service vulnerability known as CVE-2022-25927 was introduced in versions 5.17.2, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, and 11.0.0 of Jira Service Management Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Sco...

7.5CVSS7.3AI score0.01725EPSS
Exploits2
Atlassian
Atlassian
added 2026/02/11 6:28 p.m.18 views

DoS (Denial of Service) semver Dependency in Jira Software Data Center and Server

This High severity DoS Denial of Service vulnerability known as CVE-2022-25883 was introduced in versions 11.3.0 and 11.3.1 of Jira Software Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H...

7.5CVSS7AI score0.02761EPSS
Exploits1
Atlassian
Atlassian
added 2026/02/11 4:29 p.m.18 views

DoS (Denial of Service) in Crowd Data Center and Server

This High severity DoS Denial of Service vulnerability known as CVE-2020-28469 was introduced in versions 6.0.0, 6.1.5, 6.2.4, 6.3.0, 7.0.0, and 7.1.0 of Crowd Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.5AI score0.04456EPSS
Exploits1
Atlassian
Atlassian
added 2026/02/11 4:29 p.m.18 views

DoS (Denial of Service) in Crowd Data Center and Server

This High severity DoS Denial of Service vulnerability known as CVE-2022-25927 was introduced in versions 5.3.1, 6.0.0, 6.1.0, 6.2.0, 6.3.0, 7.0.0, and 7.1.0 of Crowd Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

7.5CVSS5.5AI score0.01725EPSS
Exploits2
Atlassian
Atlassian
added 2026/02/05 9:27 p.m.18 views

DOM-based XSS com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer Dependency in Bamboo Data Center and Server

This High severity DOM-based XSS vulnerability known as CVE-2025-66021 was introduced in versions 10.2.9, 11.0.7, 12.0.1, and 12.1.0 of Bamboo Data Center and Server. This DOM-based XSS vulnerability, with a CVSS Score of 8.6 and a CVSS Vector of...

8.6CVSS6.1AI score0.00226EPSS
Exploits1
Atlassian
Atlassian
added 2026/01/16 6:45 a.m.18 views

DoS (Denial of Service) cross-spawn Dependency in Jira Service Management Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in versions 10.3.0 of Jira Service Management Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.7 and a CVSS Vector of code:java...

8.7CVSS8.3AI score0.00873EPSS
Exploits0
Atlassian
Atlassian
added 2026/01/09 6:27 p.m.18 views

Race Condition at org.glassfish.jersey.core:jersey-client in Bamboo Data Center

This is a vulnerability in a non-Atlassian Bamboo dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity Race Condition vulnerability was introduced in versions 9.6.0, 10.0, 10.1 and 10.2.0 of Bamboo Data Center and Server. This...

9.4CVSS5.4AI score0.00277EPSS
Exploits0
Atlassian
Atlassian
added 2026/01/09 4:27 p.m.18 views

XSS (Cross Site Scripting) dompurify Dependency in Jira Software Data Center and Server

This High severity XSS Cross Site Scripting vulnerability was introduced in versions 9.15.2, 9.16.0, 9.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, and 11.1.0 of Jira Software Data Center and Server. This XSS Cross Site Scripting vulnerability, with a CVSS Score o...

7.3CVSS6.6AI score0.00844EPSS
Exploits0
Atlassian
Atlassian
added 2026/01/08 10:27 p.m.18 views

Injection cipher-base Dependency in Jira Software Data Center and Server

This High severity Injection vulnerability was introduced in versions 10.3.0, 11.0.0, 11.1.0, and 11.2.0 of Jira Software Data Center and Server. This Injection vulnerability, with a CVSS Score of 9.1 and a CVSS Vector of code:java CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:Hcode allows an...

9.1CVSS7.4AI score0.0047EPSS
Exploits1
Atlassian
Atlassian
added 2026/01/02 7:27 a.m.18 views

DoS (Denial of Service) qs Dependency in Jira Service Management Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in version 10.3.14 of Jira Service Management Data Center and Server. This vulnerability with a CVSS Score of 8.7 and a CVSS Vector of...

6.3CVSS5.5AI score0.0041EPSS
Exploits1
Atlassian
Atlassian
added 2025/12/19 7:27 p.m.18 views

DoS (Denial of Service) org.apache.struts:struts2-core Dependency in Crowd Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in version 7.1.2 of Crowd Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to access...

7.5CVSS5.4AI score0.01456EPSS
Exploits0
Atlassian
Atlassian
added 2025/12/12 7:28 a.m.18 views

DoS (Denial of Service) org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in version 8.19.0 of Bitbucket Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 8.6, allows an attacker to perform actions to degrade service, which has no impact to confidentiality, no...

8.6CVSS8.1AI score0.01702EPSS
Exploits0
Atlassian
Atlassian
added 2025/12/12 7:28 a.m.18 views

Injection in Crowd Data Center and Server

This is a vulnerability in a non-Atlassian Crowd dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity Injection vulnerability known as CVE-2025-9288 was introduced in versions 2.2.6, 2.4.11, 6.2.4, 6.3.0, and 7.1.0 of Crowd Da...

9.1CVSS5.6AI score0.00651EPSS
Exploits2
Total number of security vulnerabilities4295