4295 matches found
Tools/Share sends e-mail to disabled users
I have Confluence/JIRA latest versions self hosted. Confluence gets its users from JIRA. I created a new topic and then used the Tools/Share option to notify all of the new topic. I used "jira-users" to send the message to. It sent to everyone including disabled users. I would expect the behavior...
"Issue Does Not Exist" page leaks information to non-logged in users
Trying to open a URL for an issue that does not exist shows the "Issue Does Not Exist" error page, even if you are logged out and the project is not publicly viewable. In contrast, trying to open the URL for valid issue will prompt the user to login. In this way, an unprivileged user can learn...
Stored XSS Vulnerability found on Atlassian
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-47027. panel Hi ! I am writing this email to let you know of a Stored XSS Vulnerability that i found on atlassian.com . You wil...
Password for LDAP Connection Displayed in the "directoryConfigurationSummary.txt" file
In the Support.zip|https://confluence.atlassian.com/display/DOC/Troubleshooting+Problems+and+Requesting+Technical+SupportTroubleshootingProblemsandRequestingTechnicalSupport-Method1:UsingtheSupportRequestFormviatheConfluenceAdministrationConsole there is a file named...
Content injection caused by failing to encode the url
The exampleURLPrefix variable given to the single-xml-header.vm|https://stash.atlassian.com/projects/JIRA/repos/jira/browse/jira-components/jira-core/src/main/resources/templates/plugins/issueviews/single-xml-header.vm11 or...
Content injection caused by failing to encode the url
The exampleURLPrefix variable given to the single-xml-header.vm|https://stash.atlassian.com/projects/JIRA/repos/jira/browse/jira-components/jira-core/src/main/resources/templates/plugins/issueviews/single-xml-header.vm11 or...
Upgrade to Application Links 4.2.4, SAL 2.12.2+
We have vulnerability in application links: https://jira.atlassian.com/browse/JRA-38918 Bumping applinks to 4.2.4 and SAL to 2.10.20 will fix the problem. Product should implement IFRAME page capability in their login page provided by LoginUriProvider...
Bruteforce Attack via Applinks Servlet
An attacker is able to perform bruteforce attacks via the applinks servlet. There is no captcha protection, nor do accounts get locked out after excessive attempts. The attacker can input a username, and perform bruteforce attacks on the login form. The core issue is that there is no login attemp...
Persistent Cross Site Scripting Flaw in User Profiles
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-46664. panel A persistent cross site scripting flaw exists in user profiles when the user updates his/her Homepage URL from the...
Unauthenticated User can access certain pages on a private JIRA instance
When you enter the URL of a private JIRA instance on the Quick Search from the login page, you will be directed to the Issue Navigator. !mark2.jpg|thumbnail! If you click the "Status" drop down button, you the unauthenticated user would be able to see the status codes. !mark1.jpg|thumbnail! If yo...
Restricted JIRA comments appear in Confluence notification inbox
If a user is watching a JIRA issue, and a restricted comment is made on that issue that the user should not be able to see, the notification still appears in their Confluence notification inbox. When the user navigates to the issue, the correctly are not allowed to see the comment. This is a...
Accept Answer URL should be idempotent and accept PUT or POST requests only
Answers currently users a single URL to both accept and un-accept answers: noformat $baseurl/acceptanswer/$answerid. noformat If this URL is requested and the answer in question is currently un-accepted, its state will be changed to accepted. If the answer in question is already accepted, it will...
Confluence Administrator Can Add Himself to System Administrator Group
I have found what I believe to be a security bug in Confluence that should be fixed. We have System Administrator function from the Confluence Administrator Group, and created a new Group called System Administrators see attachment. The purpose was to give our Tech Writers the ability to access t...
Improve filter behaviour: auto-complete should not give away field values
h4. Context When using JQL with auto-complete switched on, searching for fields will always list global values. For instance, when using the IN operator in JQL, auto-complete will "give away" values for the majority of fields. Given that for each individual project there are schemes restricting o...
XSS on several select lists
Steps to reproduce: -Create a new issue type -Add "alert'Issue name' as Issue name mind the qoute at the beginning -Add "alert'Issue desc' as Issue Description -Add /images/icons/issuetypes/genericissue.png "alert'Issue icon' as Issue Icon -Make sure that this issue type is available on your...
Cross Site Scripting vulnerabilities in Pickers
Currently, the confluence picker does not sanitize the input /crowd/console/secure/pickers/displayPicker.action. Proof of concept. Access the following URL in your browser with javascript enabled. Replace the with your crowd URL. panel...
Secure Mail Archive with Space Permissions
Mail Archives in a Space are currently not subject to any Read / View security context Permissions. They are visible to all space users. REQUEST: Apply Restrict Space Permissions to Mail Archive Same behavior as for Pages, restricting ability to search or view mail archive based on permissions. S...
Secure Mail Archive with Space Permissions
Mail Archives in a Space are currently not subject to any Read / View security context Permissions. They are visible to all space users. REQUEST: Apply Restrict Space Permissions to Mail Archive Same behavior as for Pages, restricting ability to search or view mail archive based on permissions. S...
Secure Mail Archive with Space Permissions
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-31944. panel Mail Archives in a Space are currently not subject to any Read / View security context Permissions. They are visib...
Link Text of a Space Changed for User without Space View Permission
Link Text name of a Space changes into the Space key if viewed by a user without Space view permission for that specific Space. h6. Steps to reproduce Create a Space e.g.: Space name "TEST 1 - 3" with Space key "TES" with a Homepage that has the same name as the Space name In other public Space,...
XSS when attaching a file to an issue
Hi, I found a persistent XSS vulnerability when attaching a file to an issue. The steps to reproduce are the following : - Attach a file to an issue. Its name must contain "alert'XSS'". I used a python script to do that. - Browse to the issue and open the ALL tab under activity. A popup should...
The xsrf cookie token is not a 'secure' cookie for secure('https') requests
To prevent against man in the middle attacks the xsrf cookie token should have the 'secure' attribute set...
Confluence notifications generated on jira issues no longer readable
A user created a ticket in jira, which was moved to another section, where the creator of the ticket has no rights. But the creator recieved a notification in confluence about a new comment on the ticket, he was no longer able to read and the comment was quoted in confluence. I think, this is a...
Confluence notifications generated on jira issues no longer readable
A user created a ticket in jira, which was moved to another section, where the creator of the ticket has no rights. But the creator recieved a notification in confluence about a new comment on the ticket, he was no longer able to read and the comment was quoted in confluence. I think, this is a...
XSS in reorder panel
To reproduce: 1. Open a confluence instance in Firefox. 2. Create a space with key "TEST". 3. Create a page in that space called "alert0". 4. Create two pages with the page from step 3 as their parent. 5. Go to: code:none base...
Reflected cross-site scripting (XSS) in dosearchsite action
The dosearchsite action is vulnerable to reflected cross-site scripting XSS via the searchQuery.spaceKey parameter. This vulnerability appears to be very similar to issue CONF-30318 and fixes implemented in response to that issue may fix this vulnerability. If the URL below is visited by an...
XSS in admin/ViewIssueFields.jspa
Reproduction: 1. Create custom fields with alert1 in name and/or description. 2. Go to 'Field Configurations' 3. Click 'Add Field Configuration', enter any text in 'Name' 4. Hit okay and wait for the page to refresh 5. Choose the config you just made - XSSed...
Password displayed in clear text when logging in to a websudo session that has expired
When entering the username/password in the websudo dialog after the user session has expired, JIRA displays all submitted values, including the password in clear text. This is a breach in security; the password should never be displayed in clear text on a web page...
Passwords from variables are visible in plaintext in release versioning preview
Hey Atlassians! You can see the contents of masked variables the ones with "password" in their key when you click on "Add variable to version" in release versioning configuration screen for deployment project. Steps to reproduce: 1. Create a global variable with key: "testpassword" and value "abc...
User invite functionality available to non-admins
The REST API which manages user invites ensures that only adminstrators can generate a new invite token. However, no similar access controls are present on the methods which are used to invite new users, or to revert to the previous security token – these can be successfully called by any...
Resource file path traversal in WebImagesDownloadResourceManager
To reproduce: 1. Create a new page named foo any name can be used, but it must match the markup in step 3 2. In the editor, create an unmigrated-wiki-markup macro by typing "\a" don't copy/paste 3. Replace the "\a" in the macro with: code:none foo|foo|" code 4. Save the page. 5. Export to word...
Convert the SecurityHeadersInterceptor into a filter that applies to /*
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-30356. panel The X-XSS-Protection HTTP header should be sent on all responses with a value of "1; mode=block". As the current...
XSS in doconfigurerssfeed.action
Filed by vosipov on behalf of write.muhammadwaqar. code...
Force password reset for all users
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-30236. panel Administrators should have an easy way to force users to change passwords in bulk format in emergencies. Has this...
XSS Vulnerability in AAC - Atlassian ID Display Name is not HTML-encoded on user hover
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46719. panel Raised from https://extranet.atlassian.com/jira/browse/INTSYS-23426...
Turning off Anti-XSRF mode has no effect
Turning off Anti-XSRF protection for comments does not have the desired effect. Even if the setting is turned off adding comments is not possible, due to an XSRF warning...
https://jira.atlassian.com/500page.jsp
this page shows all the data about JIRA instance to intruder. It makes it more vulnerable when you know the whole setup...
UI Redressing (Clickjacking)
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-29230. panel Confluence is vulnerable to Clickjacking|https://en.wikipedia.org/wiki/Clickjacking. That is, it is possible to...
SSL Enabled but some link point to http:// instead of https://
This scenario will happen if enable both HTTP8090 and HTTPS8433 and 'Server Base Url' is set to HTTP. Reproduce procedures 1. Access confluence via HTTPS 2. Click menu 'Space' at the top menu 3. At 'Space Directory' page, click any of the menu at the left side eg. All spaces etc. then click link ...
XSS in /secure/admin/AssociateProjectRepPath!default.jspa
fromScreen is passed unfiltered into the results page. Contents of the field persist through the "missing XSRF token" screen, so exploitation is trivial - just get your victim to click on the link without a token. noformat GET...
Activity stream not respecting parent page restrictions
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-28543. panel The Confluence Activity stream will display all pages that the user has access to according to the restrictions...
Anonymous users can see page restriction data, exposing user ids and group names
If an user navigates to a page that has any kind of individual "editing" restriction but is of public view and then clicks on the padlock icon, he or she will see the Names, Uids of the users who are mentioned in the "edit" restriction or any groups part if the restriction. We think it is wrong t...
Large filter subscriptions can crash a JIRA instance with an OutOfMemoryError
h3. Summary JIRA has no 'rate limiting' or mail limit on filter subscriptions. This means using certain configurations will allow for a significant amount of mail to be created. As this mail is persisted in memory, it's possible to cause OutOfMemoryError's, even with a significant amount of heap...
XSS bug in detail view epic name lozenge rendering
6.1 introduced an xss bug in the detail view, more specifically in the epic field that displays to which epic an issue belongs to...
CreateSupportZipAction directory traversal
There’s a directory traversal vulnerability in the CreateSupportZipAction action that allows a malicious user to include arbitrary log files into a support zip. This is because the SupportUtility object is marked as @ParameterSafe, and no validation is performed on its serverLogsDirectory path...
Accidental XSRF and DoS consumption-of-space issue
We experienced an unusual growth of our nonspaced attachments that appears to be a DoS vunerability both in an accidental way with a workaround and intentional not easily worked around. This is under Confluence 4.0, but appears to probably apply to 4.3.1 as well. It appears the growing nonspaced...
rememberme cookie is not cleared when user changes password in Confluence
When a user changes their password, the seraph cookie is still valid. To avoid this, all entries for the changed user in the table remembermetoken should be removed...
Information disclosure in REST API
REST endpoints to search groups and to list issue resolutions allow anonymous/unauthenticated access. The former allows to enumerate all groups on a JIRA instance by sending multiple queries as results are limited by jira.ajax.autocomplete.limit. We've verified this on an instance without any...
Session expiry pages may echo password in clear text
The "session expiry" and "XSRF token missing" pages will echo any submitted values. This may result in echoing the submitted password to the page in plain text if triggered on the WebSudo authentication page. Modify the error pages sessionexpired.jsp and xsrfmissing.jsp so they don't echo...
The csrf token cookie should be a 'secure' cookie like the sessionid cookie
That is that csrf token cookie 'csrftoken' should have the 'secure' attribute like the session cookie. In django 1.4 setting CSRFCOOKIESECURE to True in settings.py will fix this problem...