4295 matches found
Link Text of a Space Changed for User without Space View Permission
Link Text name of a Space changes into the Space key if viewed by a user without Space view permission for that specific Space. h6. Steps to reproduce Create a Space e.g.: Space name "TEST 1 - 3" with Space key "TES" with a Homepage that has the same name as the Space name In other public Space,...
The color of the issue security field should be configureable or black
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-36126. panel The color of the issue secuity field is red. Why? The color should be configureable or black, like other fields. I have already...
XSS when attaching a file to an issue
Hi, I found a persistent XSS vulnerability when attaching a file to an issue. The steps to reproduce are the following : - Attach a file to an issue. Its name must contain "alert'XSS'". I used a python script to do that. - Browse to the issue and open the ALL tab under activity. A popup should...
XSS vulnerability in JIRA description field
Using a link like: code https://x.x.com/x= please click here onmousemove=alert1 code shows a serious XSS vulnerability - using error correction in browsers Firefox 24 - in the JIRA description field and most likely every other wiki-style rendered field. Example: https://x.x.com/x= please click he...
UploadAction.execute vulnerable to CSRF
Sub-issue from CONF-27960. UploadAction.execute upload.action does not have CSRF protection...
Missing access controls in loadattachmentversions action
The loadattachmentsversions action is accessible to any user of Confluence and returns version history information for an attachment. No access controls appear to be implemented for this action and any user of Confluence can obtain version history for any attachment, including those on pages in...
CSRF in resetstylesheet.action
SpaceEditStylesheetAction.doReset EditStylesheetAction.doReset...
Jira is logging SOAP body in default config - passwords included
In the default log4j.properties of Jira, there are settings for logging soap dumps. The config file does not explicitly enable the logging of soap dumps, but somehow, this happens, with usernames and passwords. For security, this should be fixed or removed from log4j config...
User lister action has no cross-site request forgery (XSRF) protection
Confluence allows an administrator to configure the groups which will not be allowed for member listing by the userlister macro. The doconfigure action that implements this functionality is vulnerable to cross-site request forgery XSRF. An attacker who exploited this vulnerability could cause the...
User lister action has no cross-site request forgery (XSRF) protection
Confluence allows an administrator to configure the groups which will not be allowed for member listing by the userlister macro. The doconfigure action that implements this functionality is vulnerable to cross-site request forgery XSRF. An attacker who exploited this vulnerability could cause the...
doremovespacemail action can be called by non-admins
The doremovespacemail action is provided by the confluence-mail-archiving plugin, and allows all of the archived mail associated with a space to be removed. This action can be called by any authenticated user, which appears to be an oversight in access control, given that similar methods such as...
Implement clickjacking protection on https://answers.atlassian.com/
We received an external security report from Monendra Sahu that https://answers.atlassian.com/ is vulnerable to clickjacking|http://en.wikipedia.org/wiki/Clickjacking. This can be fixed by sending a X-Frame-Options header with a value of SAMEORIGIN. This will prevent answers from being displayed ...
Resource file path traversal in IconDownloadResourceManager
To reproduce: 1. Create a new page title doesn't matter. 2. Insert an image with URL: code:none /confluence/images/icons/profilepics/../../../WEB-INF/classes/crowd.properties code with /confluence/ replaced with the correct base path. Edit the page, click +, click Image, select the From the Web...
"Contact Administrators" Process Doesn't Exclude Disabled Administrators
h3. Steps to Reproduce: Create a new test user Add the newly created user into confluence-administrators group Disabled the new test user Access the following URL code/500page.jspcode Click the "Confluence Administrators" link which will redirect you to this URL...
XSS vulnerability in the Office Powerpoint macro (Office Connector)
To reproduce: 1. Attach a ".ppt" file to the page. any file with that extension - doesn't need to be a powerpoint file 2. Add "Office Powerpoint" macro with Slide Number as: code "alertdocument.domain code 3. View page. See officeconnector, PptConverter.java, line...
Make custom field description and options rendering consistent for OnDemand and BTF
JIRA has different behaviour for how it renders custom field descriptions and options depending on if it's running BTF or on OnDemand. On OnDemand, custom field descriptions are wiki markup, but on BTF they're HTML. On OnDemand, custom field options e.g. for checkbox are plain text, but on BTF...
Persistent XSS in Username field
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-46732. panel The XSS vulnerability is only present in some parts of the UI where the username is incorrectly marked as "safe" f...
XSS in doconfigurerssfeed.action
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-30240. panel Filed by vosipov on behalf of write.muhammadwaqar. code...
Reflected XSS in JIRA Admin Panel (Delete User)
The 'name' param in jira-components/jira-webapp/src/main/webapp/secure/admin/user/views/deleteuserconfirm.jsp is not sanitised, enabling arbitrary html/script execution. A url to demonstrate this issue is:...
XSS Vulnerability in About Me field
Steps to reproduce: In id.atlassian.com, add to your About me: code console.log' +++++ Hi Dennis ++++++'; code Save & check in your answers profile - the JS will appear in the browser console. [email protected] can you do me a favor and give every profile field an once-over?...
Page Properties Report showing restricted items
Pages using the Page Properties control that are restricted, still display in a page with the Page Properties Report control when they should not. To clarify: A page with the Page Properties Report control that is unrestricted, shows all of the relevant pages within it. However a few of the pages...
XSS vulnerabilities in Atlassian Answers
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47042. panel Some users seem to try XSS attack on Atlassian Answers. How to replicate is the following steps. Go to the top page...
SPAM via Answer
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47171. panel I have received an email notification containing a link as an aswer one of my questions. It turns out that a spam. ...
Workbox (Notifications and Tasks) leaks restricted information from a jira issue
If a confluence instance is configured to pull notifications from a JIRA server then if a user 'B' not in group 'A' watches an issue and a comment is added to the issue restricted to group 'A' then user 'B' is able to see the contents of the restricted comment via the "Notifications and Tasks"...
Restrict access to personal pages and directory
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-28592. panel We need to restrict access to personal pages and the directory. At present, there doesn't seem to be any way to do...
Activity stream not respecting parent page restrictions
The Confluence Activity stream will display all pages that the user has access to according to the restrictions. However, if the user is limited in viewing a page due to inherited restrictions from a parent page, the page in question will still show up in the activity stream, and when following t...
Default application files available for download via the application server.
see: https://jira.atlassian.com/browse/JRA-31187 e.g. https://fisheye2.atlassian.com/s/1519/3/1.0//WEB-INF/ and https://fisheye2.atlassian.com/s/1519/3/1.0//WEB-INF/web.xml . FishEye shouldn't write any user data to the WEB-INF directory. The only files which are viewable there, should be the sam...
Default application configuration files are available for download
h3. Summary of The Bug By browsing to the following URL path user would be able to download any files under /confluence/WEB-INF/... code/s/1519/3/1.0//WEB-INF/...code The above URL will be accessible by any users including anonymous even to an instance that does not allow anonymous access h5. Not...
Default application configuration files are available for download
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-27693. panel h3. Summary of The Bug By browsing to the following URL path user would be able to download any files under...
Default application configuration files are available for download
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-27693. panel h3. Summary of The Bug By browsing to the following URL path user would be able to download any files under...
File Attachment persistent XSS
There is a persistent XSS vulnerability in the attachment download functionality of Confluence. By uploading a malicious executable file type like SVG scalable vector graphics with embedded JavaScript, it’s possible for an attacker to execute arbitrary code under the context of the logged in user...
Potential persistent xss in fixCaseInNotifications.jsp
There is a difficult to exploit XSS in fixCaseInNotifications.jsp. We could not get it to trigger, but there are some scenarios where unescaped data can be displayed through fix method correctName, userNameToFix. The relevant code is as follows: code NotificationCaseFixer caseFixer = new...
Persistent XSS in the removepage.action page through the title of the parent page being deleted
The parent title of a confluence page is not html encoded when displayed in removepage.action this results in a persistent XSS vector. Steps to reproduce: 1. Add a page with a title of "" alert3; 2. from the Add menu select "Add page" so it is a child of the first page 3. save the new page child ...
Persistent XSS in the removepage.action page through the title of the parent page being deleted
The parent title of a confluence page is not html encoded when displayed in removepage.action this results in a persistent XSS vector. Steps to reproduce: 1. Add a page with a title of "" alert3; 2. from the Add menu select "Add page" so it is a child of the first page 3. save the new page child ...
User email showing in suggestions section with visibility set to hidden
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-29690. panel Assignee user-picker shows user email in Suggestions section, with User Email Visibility set to hidden. Steps to reproduce: Emai...
XSS vulnerability in chart saving
Create a new dashboard with the name alert"XSS" 2. Go to the issue navigator and perform a search 3. Choose Views - charts - Save to dashboard This is because portal.name is unescaped in savetodashboard.vm. Tested in OnDemand and BTF...
Turning off Anti-XSRF protection for comments has no effect
Turning off Anti-XSRF protection for comments does not have the desired effect. Even if the setting is turned off verified that the setting is saved in the BANDANA table, adding comments is not possible, due to an XSRF warning. This is also covered in more details on this KB:...
Session expiry pages may echo password in clear text
The "session expiry" and "XSRF token missing" pages will echo any submitted values. This may result in echoing the submitted password to the page in plain text if triggered on the WebSudo authentication page. Modify the error pages sessionexpired.jsp and xsrfmissing.jsp so they don't echo...
Session ID and remember me cookie should expire when LDAP user password is changed
Steps to reproduce Login as a normal Confluence user In another browser or in incognito mode, login as system administrator Go to Confluence Admin Manage Users and click on the user Click Set Password and set a different password for this user Refresh the page and the user can still access the pa...
Persistent Cross Site Scripting Vulnerability
We have identified and fixed a persistent cross-site scripting XSS vulnerabilities that affects Stash instances, including publicly available instances that is, Internet-facing servers. XSS vulnerabilities allow an attacker to embed their own JavaScript into a Stash page. More information is...
persistent xss vulnerability through uploaded files in IE8/9
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-46953. panel It is possible to upload a number of file types checked by extension to an answers instance and then download them...
Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-29213. panel Starting JIRA 5.1, the embedded crowd has been upgraded from version 2.3.2 to 2.4. This includes the security fix CWD-2690 won't...
XSS vulnerability in the "import word document" page action through the page name
On the "import word document" page action the name of the confluence page is a persistent xss vector as it is not encoded. How to Reproduce: 1. Create a confluence page with the following title noformat XSS"/alert'XSS' noformat 2. Navigate to the created page 3. Under the tools menu select "Impor...
XSS (reflected) in rankVMID parameter of GetRankPage.jspa
As per https://sdog.jira.com/browse/JSTDEV-2110 Targets:...
ldap injection in the custom atlassian authentication code
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47275. panel The custom atlassian ldap authentication code is vulnerable to ldap injection. The method which is vulnerable to ld...
The csrf token cookie should be a 'secure' cookie like the sessionid cookie
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-46613. panel That is that csrf token cookie 'csrftoken' should have the 'secure' attribute like the session cookie. In django 1...
XSS vulnerability in the "move" page action with html/js in the page name
There is an persistent xss vector in the 'move' page action on a page, where the javascript/html payload is included in the name of the page. Steps to reproduce: 1.create a page named: "''/'kasdfjas'dfasdf 2. on the page click on the "move" option under the tools drop-down menu 3. see an alert bo...
The vulnerability exists in the standalone and also in the online demonstration enviroment.
It is possible to anonymously enumerate all usernames via the script at /rest/prototype/1/search/user.json?max-results=10&query=XX. The 'query' GET parameter should contain at least two charakters. It is possible to enumerate all usernames by performing a search from 'query' value 'aa' to 'zz'...
admin/dev/shortcuts.jsp lacks an XSRF token to alter installed/.configured shortcuts
admin/dev/shortcuts.jsp does not require a csrf token to alter installed/.configured shortcuts...
admin/createMissingPersonalInfo.jsp lacks an XSRF token to trigger "build Personal Information objects"
admin/createMissingPersonalInfo.jsp doesn't require a csrf token to trigger "build Personal Information objects". When fixing this issue, please ensure that the JSP is converted to an action or deleted - we don't want to have to maintain our XSRF infrastructure in JSPs...