Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
•added 2010/11/26 12:27 p.m.•18 views

adding "Project Member" to User/Group/Projectrole options list for security level

I'm looking for a fast and easy way to handle security viewability of issues over all projects. Scenario is: We have setup the Jira company environment and several different projects. We have some external developers that are assinged to their specific projects. I did not yet use the security...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/10/26 2:15 p.m.•18 views

Allow to specify which user to be used in trusted connection with JIRA

This is an improvement request to allow specifying which user to be used in trusted connection with JIRA. Proposed example next to the documented examples in Jira Issues Macro|http://confluence.atlassian.com/display/DOC/JIRA+Issues+Macro bq. Anonymous=false: EITHER use the user credentials define...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/10/26 2:15 p.m.•18 views

Allow to specify which user to be used in trusted connection with JIRA

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-21127. panel This is an improvement request to allow specifying which user to be used in trusted connection with JIRA. Proposed...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/10/10 8:4 p.m.•18 views

Google Chrome shows mixed content warning

Hello, when JIRA is requested via https with Google Chrome 6.0.472.63 on all URLs of JIRA https is in red, crossed out and a padlock with red cross is shown with this description: "Your connection is encrypted with 128-bit encryption. However, this page includes other resources which are not...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/09/22 6:24 a.m.•18 views

restrict the access to JIRA for specific pairs "user account - host"

to be able to restrict the access to JIRA for specific pairs "user account - host" also to provide: 1. specify checkbox user account - "any host" 2. specify multiple hosts for one user account 3. to use Windows AD containers such distribution groups and computer groups in tool of the coding of...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/08/23 9:46 a.m.•18 views

Property for enabling/disabling viewage of Jira administrators

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-22096. panel As of JRA-21004, it also happened that the Administrator page does not show the administrators anymore. This patch is enables...

3.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/06/25 4:47 p.m.•18 views

Logout Button / Option Missing for some LDAP user accounts

Instance Details / Description: The logout option to kill sessions is not present for some user accounts i,e, the zzsvat01-05 test accounts. It is believed that this is caused by LDAP user accounts that don't have a first and / or last name present. For these specific rare instances i.e. probably...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/06/25 4:47 p.m.•18 views

Logout Button / Option Missing for some LDAP user accounts

Instance Details / Description: The logout option to kill sessions is not present for some user accounts i,e, the zzsvat01-05 test accounts. It is believed that this is caused by LDAP user accounts that don't have a first and / or last name present. For these specific rare instances i.e. probably...

0.9AI score
Exploits0
Atlassian
Atlassian
•added 2010/05/31 6:58 a.m.•18 views

WebSudo should be disabled in devmode

When confluence is started in dev mode, websudo should be disabled...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/27 4:58 a.m.•18 views

XSS in page renderer

An XSS vulnerability has been identified in the page renderer. This issue provides a fix for this problem. The severity of this issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for other security related issues as well as more information on how we rate issues...

0.2AI score
Exploits0
Atlassian
Atlassian
•added 2010/04/22 4:38 a.m.•18 views

SOAP and XML-RPC APIs return too much information

The SOAP and XML-RPC APIs return more information than is needed. This issue corrects that problem. This issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for more security related issues and information on how we rate our issues...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/22 12:59 a.m.•18 views

Possible XSS injection in attachment upload

A XSS vulnerability has been identified in attachment upload. The severity of this issue has been rated HIGH. Please refer to the security advisory at http://confluence.atlassian.com/x/ZILmD for information on how we rate issues...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/19 12:57 a.m.•18 views

Brute force protection on JIRA 4.1 leaks valid account names

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-21036. panel The brute force login protection in JIRA only activates when a real user account is accessed. This can be used by an attacker to...

1.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/16 4:36 a.m.•18 views

runportleterror.jsp contains XSS hole

The runportleterror.jsp contains an XSS attach vector via the unescaped 'portletKey' URL parameter. The parameter should be escaped properly...

2.2AI score
Exploits0
Atlassian
Atlassian
•added 2010/04/16 4:29 a.m.•18 views

Announcement Preview banner is a vector for an XSS attack

The announcement preview banner is currently displayed via the global decorator. It can be used for an XSS attack on virtually every page, via the announcementpreviewbannerst URL parameter. We should display the preview only locally in the admin section...

2.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/03/16 5:57 a.m.•18 views

xss vulnerability in issuelinksmall.jsp

Thanks to NASA / JPL for discovering this: Cross-Site Scripting XSS related to http://oursite/jira/includes/snippets/issuelinksmall.jsp?%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E=has...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/03/16 1:0 a.m.•18 views

Custom fileds inconsistently escaped in view and edit screens

Steps to replicate: Create a custom field and name it Hithere On view issue screens, the field appears as Hithere On edit issue screen, the field appears as Hithere on red font I guess we need to make a decision on which one is the desired functionality allow HTML or not and make it consistent...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/01/20 6:41 p.m.•18 views

autocomplete box in page restrictions finds deleted users, wrong usernames

We recently migrated our user management from JIRA to Crowd, our Confluence instance used to link to JIRA for authentication, and now links to Crowd. We now found that, when editing the restrictions on individual pages, the autocomplete feature in that dialog acts strange: Users that have been...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/12/23 2:27 a.m.•18 views

Randomised password not sent in email

When creating a user with password normally, the notification email to that new user will contain the password. However creating a new user and leave the password blank, JIRA randomly generates a password for that user, but the randomised password "is not sent" in the notification email to that...

Exploits0
Atlassian
Atlassian
•added 2009/09/02 3:54 p.m.•18 views

"User Custom Field Value" permission type incorrectly exposes JIRA project names to everyone

Problem: Project names are shown to users with no permission to see the project. Impact: Security hole! Recipe: it helps to have two browsers open one logged in as admin the other as the user I will create called dummy Add user dummy Add project blah Add custom field myuser of type user picker,...

6.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/08/18 1:18 a.m.•18 views

XSS vulnerability can be exploited with the pagetree macro

Use the following markup: noformatpagetree:root=alert'12'noformat Whenever the page is viewed, the script will be executed...

1.6AI score
Exploits0
Atlassian
Atlassian
•added 2009/08/12 6:33 p.m.•18 views

Uploading large fonts for PDF export fails with XSRF error

When uploading souizhs.ttf font that we use due to its comprehensive UTF8 support, I'm getting XSRF validation error: quote Your request could not be processed because a required security token was not present in the request. You may need to re-submit the form or reload the page. quote I tried...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/07/31 3:0 a.m.•18 views

JIRA should trust itself by default.

Upgrade Seraph and Trusted apps to 2.0.1/2.1. If the CurrentApplication implements TrustedApplication then return it if it is asked for by id...

1.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/05/20 6:9 a.m.•18 views

Jiraissues add icon mapping configuration is susceptible to XSS

Combined with XSRF susceptibility via CONF-15753; you can craft an attack to get elevated privileges in Confluence. !http://img.skitch.com/20090520-x5gug8e8q5snabtmm2i2kdx1p.jpg!...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/05/14 3:26 a.m.•18 views

Prevent global settings from being accidentally overwritten

On a number of occasions, upgrading Extranet has triggered some kind of bug that has caused the global settings to be reset to their default values. The most obvious cause of this is that some piece of code has created a new Settings object and saved it through the settings manager. One way to...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/03/19 4:27 p.m.•18 views

Cache Plugin -Cross-site script error

Our e-security department found the error below after scanning the Cache Plugin: Number System/Location Defect Type Status R3 Cache Plugin Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies, which may be use...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/03/19 4:15 p.m.•18 views

Latex Plugin-Cross-site Scripting Error

Our security group scanned the plugin below and found the following issue for the Latex Plugin: Number System/Location Defect Type Status R1 Latex Plugin Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies,...

Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/03/12 4:24 p.m.•18 views

Vulnerable and pointless password storage on client computers

Given the following: -http://confluence.atlassian.com/display/DOC/Confluence+Cookies, which says "a one-way hash of the user's password" is stored in a browser cookie on the user's computer. -CSP-29692 case I opened with Atlassian support, which explained that EncryptionUtils.java is used to...

7.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/02/26 12:44 a.m.•18 views

Impropper sanitisation of attachment filenames allows header injection

An attacker can craft a specific attachment filename, or rename the file once it has been uploaded to introduce arbitrary headers into the response stream...

4.4AI score
Exploits0
Atlassian
Atlassian
•added 2009/02/20 12:41 a.m.•18 views

Redirect that works in 2.9 is broken in later Confluence versions

Adding a .jsp containing the following code will work in 2.9, but produces an exception in 2.10 when a parameter such as osdestination is supplied: code code Example URL: http://localhost:8080/confluence/login2.jsp?osdestination=%2Fdashboard.action Typical exception: quote...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/02/18 8:8 p.m.•18 views

Issue security based on workflow status

I would be great if permission types could be associated with workflow status. What we would like to do is limit the ability to edit an issue by the reporter to a specific workflow status. Using the issue security scheme is not possible since the reporter should always be allowed to view the issu...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/01/28 9:58 p.m.•18 views

Ability to grant Import/Export privileges to a group or a user

In our JIRA environment, we have several projects where each of the project admins uploads tasks from a CSV file into their respective project. Inorder for these project admins have the upload permissions, they need to be part of the JIRA System Administration group. This is unacceptable and is a...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2008/11/07 6:43 p.m.•18 views

Boolean operators on user and group management

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-13634. panel Please consider this as a feature request for a future release of Confluence. Boolean operands on Space permissions...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2008/09/04 1:18 a.m.•18 views

XSS in site search action

http://confluence.atlassian.com/dosearchsite.action?where=confall&queryString=%3Cscript%3Ealert'foo';%3C/script%3E queryString needs to be escaped. This problem is fixed if they turn on Anti-XSS mode. We still need to fix this as anti-xss is not on by default...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2008/08/29 6:36 p.m.•18 views

Pages that inherit page restrictions are not respecting those restrictions after upgrade to Confluence 2.9

Tested and verified in both customer enviornment and in test enviornment. In the event that you have a parent page restriction and a child page that inherits that restriction, upon upgrade, 2.9 will only respect the explicit parent permission in terms of security trims and actual access but not...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2008/08/19 5:10 a.m.•18 views

The TrustedApplicationsFilter doesn't work for /rpc/* URLs

The sessioninview filter doesn't cover rpc URLs I think because this meant that RPC actions didn't show up in the DB until the response what completely written This means that lazily loaded data returned by the HibernateTrustedApplicationDao causes problems when the TrustedApplicationsFilter trie...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2008/07/10 6:30 p.m.•18 views

Restrict the transmission of Confluence version details

I noticed that on several installs, Confluence by default displays its full version number and sometimes build number to the world. It is a commonly accepted web security practice to withhold all product details, including version information, except to users on a "need to know" basis. Otherwise,...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2008/04/21 4:28 p.m.•18 views

XSS vulnerability in viewinfo.action

Referrer URLs are not encoded in viewinfo.vm...

2.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2008/03/11 4:8 a.m.•19 views

username not validated in add user to favourites action

Entering a bogus username here has the unwanted side effect of adding a bogus entity to your user favourites that can't be removed...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2008/03/10 4:44 a.m.•18 views

viewuser.action has an XSS problem around username

Steps to reproduce: create a user with username: foo"alert'hello';span class="ff you should get an alert when you are redirected to viewuser.action to view the user you just created...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2008/02/07 1:44 a.m.•18 views

Moving an issue from a project with Issue Security to a project without does not clear out the security

To reproduce this issue, do the following: Create Project AAA Create Project BBB Create an Issue Level Security Scheme, and assign it to AAA only Create a Clone of the Default Field Configuration Scheme. Hide the field Security Level on the Cloned copy. Assign the Cloned copy to BBB. Create a New...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2007/11/12 3:22 a.m.•18 views

Bulk Move does not update the Security Level of subtasks

When doing a bulk move, Parent issues moved to a new project must take any subtasks with them. If the new project has a different Issue Security scheme, then issues should get the default issue security in the new project. Currently a bulk move will change the security setting of parent issues, b...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2007/10/24 6:4 a.m.•18 views

Issues not shown in issue navigator that a user has permission for according to the issue security level

Users may not be able to see certain issues in the IssueNavigator, if they create an issue level security, where the permission depends on a user custom field where the customfield does not have a searcher set. Browsing the issue directly, works fine, however when running a search the issue wont ...

0.8AI score
Exploits0
Atlassian
Atlassian
•added 2007/09/05 8:3 p.m.•18 views

Only allow basic formatting macros in comments

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-9387. panel Currently it is possible for users with create comments permission to embed macros in these comments. This is a...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2007/07/24 7:51 a.m.•18 views

Reflected XSS Vulnerability in the Feed Builder

---- Input in the Feed Builder is not properly handled. Insert: code "alert'Gotcha!' code as the feed name title and you get url like this:...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2007/07/23 11:52 a.m.•18 views

XSS vulnerability at "Edit Space Permissions"

Description: XSS vulnerability at "Edit Space Permissions" page Exploit: Write to the "Grant permission to" field: "alertdocument.cookie"...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2007/07/19 8:31 p.m.•18 views

stored XSS vulnerability in app/themes/leftnavigation/configuretheme.action

Description: Stored XSS via page app/themes/leftnavigation/configuretheme.action?key= Exploit: Example value in the Naviagtion Page field: "aletrdocument.cookiex x="...

2.6AI score
Exploits0
Atlassian
Atlassian
•added 2007/07/19 12:56 p.m.•18 views

XSS vulnerability in app/pages/listpages-alphaview.action

Description: XSS via the "startsWith" field in pages/listpages-alphaview.action. Exploit: noformathttp://app/pages/listpages-alphaview.action?key=&startsWith=xss:alertdocument.cookienoformat...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2007/07/11 12:37 a.m.•18 views

Security issue: user can copy page with only view permissions

I have a user who only has view permissions to a space. Logging on as that user, I went to the Info tab of a page. The Copy operation appeared, and I was able click the link, edit the copied page, and save it. This must be a security hole?...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2007/04/26 3:14 p.m.•18 views

Allow embedding multimedia content located on remote servers

Re: CSP-8387 Currently, when embedding multimedia content on Confluence you are restricted to embedding files located on the Confluence server. The page http://confluence.atlassian.com/display/CONF20/Embedding+Multimedia+Content singles out "security reasons" as the reason for this limitation. In...

2.7AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295