Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
•added 2012/02/23 9:4 a.m.•17 views

XSS Vulnerabilities in JIRA Attachments?

At the current moment, JIRA do not have any restrictions for attachment files, which allows users to upload malicious file into JIRA issues. This can be a problem when we open an attachments using Mozilla Firefox, since the browser allows us to open attachments using web browser. The steps to...

0.5AI score
Exploits0
Atlassian
Atlassian
•added 2011/10/25 3:47 a.m.•17 views

XSS vulnerability in a user's comment

We have identified and fixed a stored cross-site scripting XSS vulnerability in the FishEye user profile. Affected versions are all versions earlier than 2.5.5 XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attac...

0.3AI score
Exploits0
Atlassian
Atlassian
•added 2011/09/05 11:26 p.m.•17 views

XSS Vulnerability in Administration Interface of JIRA Bamboo Plugin

We have identified and fixed a cross-site scripting XSS vulnerability in JIRA administration interface. Affected version is JIRA 4.3.x XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a JIRA page. You can read more about XSS attacks at various places on the web...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/08/22 6:19 a.m.•17 views

make space admin able to see restricted pages in his own space

This is a request to make space admins able to see the content of restricted pages in their own spaces. Currently only confluence-administrators can do that...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/07/14 1:8 p.m.•17 views

Enumeration of usernames possible in Jira

We found enumeration of usernames to be possible in Jira 4.3.4 despite the login failure message not revealing whether it was the username or password that was incorrect. After 3 failed login attempts a captcha appears only if the user exists, otherwise not. This allows an attacker to enumerate t...

2.3AI score
Exploits0
Atlassian
Atlassian
•added 2011/07/12 2:32 a.m.•17 views

GeneralUtil.htmlEscapeQuotes should be annotated HtmlSafe

The GeneralUtil.htmlEscapeQuotes method outputs HTML and thus should be annotated as @HtmlSafe. Not doing so causes its output to be double escaped when automatic escaping is enabled for the plugin/velocity template...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/07/01 10:40 a.m.•17 views

Web Sudo should be able to be subverted for non browsers (eg scripts) via a HTTP header

We do this for XSRF protection. Basically you should be able to subvert the web sudo mechanism via a HTTP header. This posts shows the use case https://answers.atlassian.com/questions/1273/jira-jelly-runner-via-cron-in-v4-3-4 I believe it just as secure since web sudo is really design to stop som...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/06/20 7:31 a.m.•17 views

Permission checking bug in Crucible Review Tooltips

We have identified and fixed a permission checking bug in the Crucible review tooltips. Affected versions are 2.4.6 to 2.5.6 This bug allows users to view metadata for a reviews that they do not have permission to view. This issue is reported in our security advisory on the following page:...

1.6AI score
Exploits0
Atlassian
Atlassian
•added 2011/06/14 10:6 p.m.•17 views

Implement security sanitization of RSS feeds and other included content

A great improvement for RSS macros would be to implement "cleansing" or "sanitization" of external RSS feeds. This may be something that is configured at the admin level or in the macro level -- I'd prefer it to be a global admin requirement. Having externally linked content is a security risk, a...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/06/07 12:52 a.m.•17 views

XSS Vulnerability in Issue Links and Labels

We have identified and fixed a number of cross-site scripting XSS vulnerabilities in JIRA issue links and labels. Affected versions are 4.2.x to 4.3.x XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a JIRA page. You can read more about XSS attacks at various...

Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/06/07 12:52 a.m.•17 views

XSS Vulnerability in Issue Links and Labels

We have identified and fixed a number of cross-site scripting XSS vulnerabilities in JIRA issue links and labels. Affected versions are 4.2.x to 4.3.x XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a JIRA page. You can read more about XSS attacks at various...

Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/05/23 6:44 a.m.•17 views

XSRF vulnerability in the Social Bookmarking plugin

We have identified and fixed a cross-site request forgery XSRF vulnerability which may affect Confluence instances in a public environment. The XSRF vulnerability is exposed in the Confluence Social Bookmarking plugin. Note that the Social Bookmarking plugin is disabled by default. If you do not...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/05/11 7:3 a.m.•17 views

XSS vulnerability in doeditmysettings.action

This vulnerability affects all versions from 3.5 and above. We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence settings editing action. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/04/26 9:8 a.m.•17 views

"Forgot Password" feature should not reveal that a given username exists within Confluence for security reason

It is possible to see which user exists on Confluence or not from within "Forgot Password" link. This is bad for security reasons. If you enter a non-existant username, it currently warns "No user with that username exists". Instead, the feature should give same message, regardless of whether the...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/03/23 5:32 a.m.•17 views

Searching within restricted pages/spaces

This is the issue reference: https://support.atlassian.com/browse/CSP-59005?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel I wanted a feature wherein a user can search within spaces or pages that he/she does not have access to. There are some pages that I do not want everyone t...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/03/23 2:52 a.m.•17 views

Profile picture thumbnail generation can consume unlimited amount of memory

Discovered a Studio customer, you can upload a very large profile picture to expose the same problem as CONF-21480, just in a different area of the application. We should limit the size of images we're willing to load into memory to avoid this problem with user pictures...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/12/03 3:34 a.m.•17 views

XSS vulnerability in Create Space Button macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence create-space-button macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/12/03 3:34 a.m.•17 views

XSS vulnerability in Create Space Button macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence create-space-button macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including...

0.3AI score
Exploits0
Atlassian
Atlassian
•added 2010/12/02 11:0 p.m.•17 views

XSS vulnerability in Bookmarks macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence bookmarks macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...

Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/12/02 11:0 p.m.•17 views

XSS vulnerability in Bookmarks macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence bookmarks macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...

Exploits0
Atlassian
Atlassian
•added 2010/11/26 12:27 p.m.•17 views

adding "Project Member" to User/Group/Projectrole options list for security level

I'm looking for a fast and easy way to handle security viewability of issues over all projects. Scenario is: We have setup the Jira company environment and several different projects. We have some external developers that are assinged to their specific projects. I did not yet use the security...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/11/25 11:42 p.m.•17 views

Implement salting of user passwords

Salting and Hashing of user passwords will require us to provide an upgrade path for users since all existing passwords will become invalid. This change should use the atlassian-security password encode library SEC-1...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/11/05 5:10 a.m.•17 views

XSS in filter.subscription.prefix.monthDay parameter of /secure/FilterSubscription.jspa

http://172.16.230.130:8080/secure/FilterSubscription.jspa?filter.subscription.prefix.interval=180&groupName=jira-users&filter.subscription.prefix.runFromMins=00&nextRun=&filter.subscription.prefix.runToMins=00&filter.subscription.prefix.runToMeridian=pm&filter.subscription.prefix.week=2&filter.su...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/10/26 2:15 p.m.•17 views

Allow to specify which user to be used in trusted connection with JIRA

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-21127. panel This is an improvement request to allow specifying which user to be used in trusted connection with JIRA. Proposed...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/10/26 2:11 a.m.•17 views

Intermittent Session Lost During Add/Edit Page in Firefox

We customized Seraph to integrate with our SSO Server. Seraph will perform session validation through cookies. When using firefox, we found that in 1 out of 5 to 8 times when we edit a page or add a new page, we will lose our session and be directed back to the login page. This does not happen in...

0.5AI score
Exploits0
Atlassian
Atlassian
•added 2010/10/10 8:4 p.m.•17 views

Google Chrome shows mixed content warning

Hello, when JIRA is requested via https with Google Chrome 6.0.472.63 on all URLs of JIRA https is in red, crossed out and a padlock with red cross is shown with this description: "Your connection is encrypted with 128-bit encryption. However, this page includes other resources which are not...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/10/05 5:37 a.m.•17 views

XSS vulnerability in Office Connector

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence Office Connector. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/09/27 5:20 p.m.•17 views

Non-secure content warning in IE8 on the Dashboards screen caused by the wiki renderer

Wiki renderer-generated contents e.g. in the activity stream include references to icons with http prefix that cause IE8 to generate security warnings for JIRA instances accessible via HTTPS. To reproduce it, have contents in the activity stream gadget contain icons included by the wiki renderer,...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/09/22 6:18 p.m.•17 views

Page view restriction is not inheriting to child pages in some spaces

When a new page is created using the create-page macro the child page does not have restrictions inherited. This is only happening for a few spaces. If I try the same macro in another space it will work fine. I have rebuilt the ancestors table but this issue is still happening. Please advise...

2.3AI score
Exploits0
Atlassian
Atlassian
•added 2010/09/22 6:24 a.m.•17 views

restrict the access to JIRA for specific pairs "user account - host"

to be able to restrict the access to JIRA for specific pairs "user account - host" also to provide: 1. specify checkbox user account - "any host" 2. specify multiple hosts for one user account 3. to use Windows AD containers such distribution groups and computer groups in tool of the coding of...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/08/25 1:48 a.m.•17 views

Confluence should not allow configuration of Office Connector temporary storage location

Earlier versions of Confluence allow the administrator to set the temporary storage location for the View File macro, part of the Office Connector. Provided an attacker has gained administrative access to the system in some way, they could then exploit this vulnerability to save malicious files...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/08/23 9:46 a.m.•17 views

Property for enabling/disabling viewage of Jira administrators

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-22096. panel As of JRA-21004, it also happened that the Administrator page does not show the administrators anymore. This patch is enables...

3.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/08/18 6:38 a.m.•17 views

websudo annotation backwards compatibility (Confluence 3.3)

Following this guide|http://confluence.atlassian.com/pages/viewpage.action?pageId=219021702, I started to use the websudo annotations to secure an XWork action that would process a form in the space admin tab. The plugin is meant to work with Confluence 3.3 and I haven't released a public version...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/07/28 4:34 p.m.•17 views

NullPointerException when Switching between Projects or Boards

In my case, the WEB-INF/classes/log4j.properties included has these loggers turned off, but they still seem to run. I am including a patch that ignores the NullPointerException following the pattern of ignoring the ClassNotFoundException. Details below taken from:...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/06/25 4:47 p.m.•17 views

Logout Button / Option Missing for some LDAP user accounts

Instance Details / Description: The logout option to kill sessions is not present for some user accounts i,e, the zzsvat01-05 test accounts. It is believed that this is caused by LDAP user accounts that don't have a first and / or last name present. For these specific rare instances i.e. probably...

0.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/05/31 6:58 a.m.•17 views

WebSudo should be disabled in devmode

When confluence is started in dev mode, websudo should be disabled...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/27 4:58 a.m.•17 views

XSS in page renderer

An XSS vulnerability has been identified in the page renderer. This issue provides a fix for this problem. The severity of this issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for other security related issues as well as more information on how we rate issues...

0.2AI score
Exploits0
Atlassian
Atlassian
•added 2010/04/22 4:38 a.m.•17 views

SOAP and XML-RPC APIs return too much information

The SOAP and XML-RPC APIs return more information than is needed. This issue corrects that problem. This issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for more security related issues and information on how we rate our issues...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/22 12:59 a.m.•17 views

Possible XSS injection in attachment upload

A XSS vulnerability has been identified in attachment upload. The severity of this issue has been rated HIGH. Please refer to the security advisory at http://confluence.atlassian.com/x/ZILmD for information on how we rate issues...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/16 4:29 a.m.•17 views

Announcement Preview banner is a vector for an XSS attack

The announcement preview banner is currently displayed via the global decorator. It can be used for an XSS attack on virtually every page, via the announcementpreviewbannerst URL parameter. We should display the preview only locally in the admin section...

2.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/03/23 2:46 p.m.•17 views

Allow non-Administrators to be able to modify workflows

As an IT Manager, by having to add users to the Administrators group in order to edit and manage workflows is prohibitive to the administration and security of our Jira environment. While I want users to create, manage and edit workflows, I do NOT want them creating or modifying accounts which...

3.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/03/16 5:57 a.m.•17 views

xss vulnerability in issuelinksmall.jsp

Thanks to NASA / JPL for discovering this: Cross-Site Scripting XSS related to http://oursite/jira/includes/snippets/issuelinksmall.jsp?%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E=has...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/03/16 5:57 a.m.•17 views

xss vulnerability in issuelinksmall.jsp

Thanks to NASA / JPL for discovering this: Cross-Site Scripting XSS related to http://oursite/jira/includes/snippets/issuelinksmall.jsp?%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E=has...

0.4AI score
Exploits0
Atlassian
Atlassian
•added 2010/03/16 1:0 a.m.•17 views

Custom fileds inconsistently escaped in view and edit screens

Steps to replicate: Create a custom field and name it Hithere On view issue screens, the field appears as Hithere On edit issue screen, the field appears as Hithere on red font I guess we need to make a decision on which one is the desired functionality allow HTML or not and make it consistent...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/02/26 5:40 a.m.•17 views

A link to Re-Indexing is visible to users even if they are not sys admin

I saw this on EACJ where I am not a sys admin quote XXXX made configuration changes in section 'Custom Fields' at 01/Feb/10 1:16 PM. It is recommended that you perform a re-index. For more information, please click the Help icon. To perform the re-index now, please go to the 'Indexing' section...

1AI score
Exploits0
Atlassian
Atlassian
•added 2010/02/17 4:24 a.m.•17 views

Changing system locale means users with non-ASCII characters in their passwords cannot authenticate

The OSUser and Atlassian-User authenticators used by Confluence convert a password into bytes before hashing it. This conversion doesn't specify which encoding should be used, so the system's default encoding is used. If the system administrator changes the locale settings on the server or change...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/01/20 6:41 p.m.•17 views

autocomplete box in page restrictions finds deleted users, wrong usernames

We recently migrated our user management from JIRA to Crowd, our Confluence instance used to link to JIRA for authentication, and now links to Crowd. We now found that, when editing the restrictions on individual pages, the autocomplete feature in that dialog acts strange: Users that have been...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/01/14 8:33 p.m.•17 views

CAPTCHA Option Should Exist for The Password Reset Form

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-20150. panel The password reset prompt allows an individual to reset any user's password. My company uses a standard employee id to use for t...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/12/23 2:27 a.m.•17 views

Randomised password not sent in email

When creating a user with password normally, the notification email to that new user will contain the password. However creating a new user and leave the password blank, JIRA randomly generates a password for that user, but the randomised password "is not sent" in the notification email to that...

Exploits0Affected Software1
Atlassian
Atlassian
•added 2009/12/23 2:27 a.m.•17 views

Randomised password not sent in email

When creating a user with password normally, the notification email to that new user will contain the password. However creating a new user and leave the password blank, JIRA randomly generates a password for that user, but the randomised password "is not sent" in the notification email to that...

Exploits0Affected Software1
Total number of security vulnerabilities4295