4295 matches found
Space permissions ignored in list of blog posts by date
h3. Summary Users have the ability to view a list of all blog posts, even from spaces in which they don't have permission to access. h3. Steps to Reproduce Install Confluence 5.7.x Create two spaces Space A Space B remove all permissions for confluence-users Create a blog post in Space A Create a...
Sensitive information displayed in anonymous REST API calls
h4. Expected behavior Block sensitive information from being displayed on anonymous REST API calls in JIRA. h4. Actual behavior Users' full-name are displayed when running the calls below: noformat /user/picker?query= /groupuserpicker?query=ali&showAvatar noformat Default fields and custom fields...
Administrator role has access to restricted pages
Setting up e.g. a personal space and giving only the owner full access, anonymous access denied, some people administrators? still have access can view, change permission and add comments. This is regardless of space or site restriction. We are using the build-in security systems shared with JIRA...
Ability to encryption Confluence's notification emails.
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-35985. panel Confluence is growing fast as well as security. It would be great if we were capable to configure Confluence to...
OGNL Double Evaluation Vulnerability
We have discovered and fixed a vulnerability in our fork of WebWork. Attackers can use this vulnerability to execute Java code of their choice on systems that use this framework. The attacker needs to be able to access the FishEye web interface. All versions of FishEye up to and including 3.6.1 a...
XSS vulnerability in spacedirectory
Good morning, I wanted to tell you to run vulnerability tests confluence, thrown the same XSS vulnerabilities. Version tested: 5.4.4 What steps should I follow to fix their vulnerabilities? Or vulnerabilities will be resolved for you? I attached the vulnerabilities: 1 GET...
"Recently updated" plugin can be used to reflect arbitrary static content to browser
This request: noformat /plugins/recently-updated/changes.action?theme=XXXXXXXX noformat results in the response: noformat HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1412654577325...
Confluence search returns results from Questions, eventhough CQ does not have anonymous "can-use" permissions
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47841. panel h4.Steps to Reproduce: Install CQ "1.0.618" or "1.0.618.001" Make sure that CQ does not have anonymous access Brows...
Confluence search returns results from Questions, eventhough CQ does not have anonymous "can-use" permissions
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47841. panel h4.Steps to Reproduce: Install CQ "1.0.618" or "1.0.618.001" Make sure that CQ does not have anonymous access Brows...
Tools/Share sends e-mail to disabled users
I have Confluence/JIRA latest versions self hosted. Confluence gets its users from JIRA. I created a new topic and then used the Tools/Share option to notify all of the new topic. I used "jira-users" to send the message to. It sent to everyone including disabled users. I would expect the behavior...
Password for LDAP Connection Displayed in the "directoryConfigurationSummary.txt" file
In the Support.zip|https://confluence.atlassian.com/display/DOC/Troubleshooting+Problems+and+Requesting+Technical+SupportTroubleshootingProblemsandRequestingTechnicalSupport-Method1:UsingtheSupportRequestFormviatheConfluenceAdministrationConsole there is a file named...
Escape or filter script tags in "all activity" panel
We've got an external report about a third party plugin: quote From: Vincent Ollivier Date: 29 July 2014 13:12 Subject: JIRA 6.2.5 / JEditor XSS Vulnerability To: [email protected] Hi, Sorry for the email, I couldn't find the correct project to report this security issue. There's an XSS in...
Make categories in Space Directory visible only to users who can access the spaces
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-34136. panel Anonymous users can see a list of categories in the Space Directory, even though they don't see the spaces...
Remote DoS Exploit on Confluence
Nir Goldshlager have discovered a vulnerability on atlassian-gadgets when parsing XMLs. Basically anyone can craft a URL containing a parameter with some XML that will make the instance run out of memory when trying to parse it. Details on the attack can be found on...
Bruteforce Attack via Applinks Servlet
An attacker is able to perform bruteforce attacks via the applinks servlet. There is no captcha protection, nor do accounts get locked out after excessive attempts. The attacker can input a username, and perform bruteforce attacks on the login form. The core issue is that there is no login attemp...
Flash content-type sniffing allows Cross Site Data Hijacking
As documented at http://blog.detectify.com/post/86298380233/the-pitfalls-of-allowing-file-uploads-on-your-website it is possible to upload a flash file to confluence with a different content-type than for flash and when embedded on an attacker's domain will be able to make requests to the...
XSS in FilterSubscription
h4. To reproduce: Visit: code:none /secure/FilterSubscription!default.jspa?returnUrl=javascript:alert1 code Click "Cancel" An alert should appear This URL should be restricted to the current domain, and to http/https protocols...
statTypes REST API exposes all statistics field names anonymously
On an instance with no anonymous access enabled, /rest/gadget/1.0/statTypes returns a list of all stattable custom fields names and IDs in the instance in response to anonymous requests. This is a nasty exposure of data - admins have no way of knowing that private data shouldn't be put into custo...
Indexable User Content (Attachments) on Google
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47021. panel User content uploaded onto answers.atlassian.com is indexable by Google due to the lack of appropriate indexing rul...
Patch for Security advisory 2014-05-21 doesn't work in Confluence 3.5.X
h3. Steps to reproduce: Confluence 3.5.13 Installed, booted up Postregres DB Shutdown, applied patch following advisory admin panel not accessible content appears to be missing see errors in the logs: code 2014-05-22 16:28:50,308 ERROR http-8080-1 Standalone.localhost./.action log Servlet.service...
Upgrading to 5.5.1 from 5.4.3 didn't update xwork from 1.13 to 1.17
We recently upgraded our instance following your security advisory. It was discovered shortly after the upgrade that the xwork file that was vulnerable 1.13 was not upgraded to the safe version 1.17. This could have just been specific to our instance but you should check your upgrade process and...
Stored XSS in OnDemand Confluence Header via username
This is from an external report. Creating a user with username: code " code and returning to the dashboard will demonstrate the script injection. This PoC will not work in Chrome/Chromium, but will in Firefox and other browsers that do not have such protective measures...
Jira appears to disclose unprocessed server tags in the output of the Marketplace plugin
As discovered/reported by running a security scan with the Acunetix web vulnerability scanner on our internally hosted instance of Jira, the Marketplace plugin appears to disclose ASP.NET style server tags in the output HTML. For example, appears in the HTML for the following page:...
Processing malformed PNG by incoming mail handler causes OOM and blocks queue
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-38028. panel There are two problems: 1. OOM 2. Incoming email processing is blocked Looks like this is similar problem to JRA-35816, fixed in...
Certificates are not checked with a Default installation of StrTreeWin
Message during HG checkin: warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified check hostfingerprints or web.cacerts config setting This is a default install, and such an install should have security configured correctly out...
Content Spoofing in the createrssfeed action
A third party scan found that createrssfeed action is vulnerable to content spoofing|https://www.owasp.org/index.php/ContentSpoofing, in specific text injection. In this case the content spoofing may be used to perform a phishing attack on users. How to reproduce: 1. go to...
Project description is persistent XSS vector for project admins
This issue is a clone of another one that was fixed in OD but left unfixed in BTF as "admin xss". It has been pointed out by several customers that this exploit requires only project admin level of privilege. The following project description: code alert1 code Pops up in the view project page, th...
Improve filter behaviour: auto-complete should not give away field values
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-36881. panel h4. Context When using JQL with auto-complete switched on, searching for fields will always list global values. For instance, wh...
JIRA sends in-app notifications to Confluence for restricted comments
If you have a primary application link between JIRA in Confluence, users get a notification in their Confluence workbox everytime someone comments in a ticket the user is watching. Users receive the notification with the text of the comment even when the comment is restricted to other groups,...
JIRA sends in-app notifications to Confluence for restricted comments
If you have a primary application link between JIRA in Confluence, users get a notification in their Confluence workbox everytime someone comments in a ticket the user is watching. Users receive the notification with the text of the comment even when the comment is restricted to other groups,...
XSS on several select lists
Steps to reproduce: -Create a new issue type -Add "alert'Issue name' as Issue name mind the qoute at the beginning -Add "alert'Issue desc' as Issue Description -Add /images/icons/issuetypes/genericissue.png "alert'Issue icon' as Issue Icon -Make sure that this issue type is available on your...
Whitelist or blacklist for inline attachment display
Currently, there are three Attachment Download Security Policy: Default Insecure Secure !sample.png! It would be helpful if there is an extra option which allow the administrator to control the type of attachment which can be displayed inline...
@mention Notification for Comments on Restricted Page in Confluence 5.4.x
In Confluence 5.4.x versions, the user is getting comment notifications in a page that he's restricted to view. If you restrict an user to view or edit the page through 'Tools Restrictions' and then comment in a page, the user will get the notification about it in the Workbox. h4.Steps to...
Cross Site Scripting vulnerabilities in Pickers
Currently, the confluence picker does not sanitize the input /crowd/console/secure/pickers/displayPicker.action. Proof of concept. Access the following URL in your browser with javascript enabled. Replace the with your crowd URL. panel...
Several actions vulnerable to CSRF (have websudo protection)
A number of actions in JIRA were vulnerable to CSRF as they performed no token checking. These actions are protected by websudo, which makes exploiting them impossible...
Secure Mail Archive with Space Permissions
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-31944. panel Mail Archives in a Space are currently not subject to any Read / View security context Permissions. They are visibl...
Link Text of a Space Changed for User without Space View Permission
Link Text name of a Space changes into the Space key if viewed by a user without Space view permission for that specific Space. h6. Steps to reproduce Create a Space e.g.: Space name "TEST 1 - 3" with Space key "TES" with a Homepage that has the same name as the Space name In other public Space,...
XSS when attaching a file to an issue
Hi, I found a persistent XSS vulnerability when attaching a file to an issue. The steps to reproduce are the following : - Attach a file to an issue. Its name must contain "alert'XSS'". I used a python script to do that. - Browse to the issue and open the ALL tab under activity. A popup should...
XSS vulnerability in JIRA description field
Using a link like: code https://x.x.com/x= please click here onmousemove=alert1 code shows a serious XSS vulnerability - using error correction in browsers Firefox 24 - in the JIRA description field and most likely every other wiki-style rendered field. Example: https://x.x.com/x= please click he...
UploadAction.execute vulnerable to CSRF
Sub-issue from CONF-27960. UploadAction.execute upload.action does not have CSRF protection...
Missing access controls in loadattachmentversions action
The loadattachmentsversions action is accessible to any user of Confluence and returns version history information for an attachment. No access controls appear to be implemented for this action and any user of Confluence can obtain version history for any attachment, including those on pages in...
CSRF in resetstylesheet.action
SpaceEditStylesheetAction.doReset EditStylesheetAction.doReset...
User lister action has no cross-site request forgery (XSRF) protection
Confluence allows an administrator to configure the groups which will not be allowed for member listing by the userlister macro. The doconfigure action that implements this functionality is vulnerable to cross-site request forgery XSRF. An attacker who exploited this vulnerability could cause the...
User lister action has no cross-site request forgery (XSRF) protection
Confluence allows an administrator to configure the groups which will not be allowed for member listing by the userlister macro. The doconfigure action that implements this functionality is vulnerable to cross-site request forgery XSRF. An attacker who exploited this vulnerability could cause the...
doremovespacemail action can be called by non-admins
The doremovespacemail action is provided by the confluence-mail-archiving plugin, and allows all of the archived mail associated with a space to be removed. This action can be called by any authenticated user, which appears to be an oversight in access control, given that similar methods such as...
Implement clickjacking protection on https://answers.atlassian.com/
We received an external security report from Monendra Sahu that https://answers.atlassian.com/ is vulnerable to clickjacking|http://en.wikipedia.org/wiki/Clickjacking. This can be fixed by sending a X-Frame-Options header with a value of SAMEORIGIN. This will prevent answers from being displayed ...
Resource file path traversal in IconDownloadResourceManager
To reproduce: 1. Create a new page title doesn't matter. 2. Insert an image with URL: code:none /confluence/images/icons/profilepics/../../../WEB-INF/classes/crowd.properties code with /confluence/ replaced with the correct base path. Edit the page, click +, click Image, select the From the Web...
"Contact Administrators" Process Doesn't Exclude Disabled Administrators
h3. Steps to Reproduce: Create a new test user Add the newly created user into confluence-administrators group Disabled the new test user Access the following URL code/500page.jspcode Click the "Confluence Administrators" link which will redirect you to this URL...
XSS vulnerability in the Office Powerpoint macro (Office Connector)
To reproduce: 1. Attach a ".ppt" file to the page. any file with that extension - doesn't need to be a powerpoint file 2. Add "Office Powerpoint" macro with Slide Number as: code "alertdocument.domain code 3. View page. See officeconnector, PptConverter.java, line...
Make custom field description and options rendering consistent for OnDemand and BTF
JIRA has different behaviour for how it renders custom field descriptions and options depending on if it's running BTF or on OnDemand. On OnDemand, custom field descriptions are wiki markup, but on BTF they're HTML. On OnDemand, custom field options e.g. for checkbox are plain text, but on BTF...