4295 matches found
Force password reset for all users
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-30236. panel Administrators should have an easy way to force users to change passwords in bulk format in emergencies. Has this...
XSS Vulnerability in AAC - Atlassian ID Display Name is not HTML-encoded on user hover
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46719. panel Raised from https://extranet.atlassian.com/jira/browse/INTSYS-23426...
Disallow multiple sessions for an account
It is currently possible to run several sessions under any account. Some customers prefer to restrict the number of sessions to one, or limit the session to the IP it has been initiated from...
Turning off Anti-XSRF mode has no effect
Turning off Anti-XSRF protection for comments does not have the desired effect. Even if the setting is turned off adding comments is not possible, due to an XSRF warning...
UI Redressing (Clickjacking)
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-29230. panel Confluence is vulnerable to Clickjacking|https://en.wikipedia.org/wiki/Clickjacking. That is, it is possible to...
SSL Enabled but some link point to http:// instead of https://
This scenario will happen if enable both HTTP8090 and HTTPS8433 and 'Server Base Url' is set to HTTP. Reproduce procedures 1. Access confluence via HTTPS 2. Click menu 'Space' at the top menu 3. At 'Space Directory' page, click any of the menu at the left side eg. All spaces etc. then click link ...
Activity stream not respecting parent page restrictions
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-28543. panel The Confluence Activity stream will display all pages that the user has access to according to the restrictions...
Anonymous users can see page restriction data, exposing user ids and group names
If an user navigates to a page that has any kind of individual "editing" restriction but is of public view and then clicks on the padlock icon, he or she will see the Names, Uids of the users who are mentioned in the "edit" restriction or any groups part if the restriction. We think it is wrong t...
Large filter subscriptions can crash a JIRA instance with an OutOfMemoryError
h3. Summary JIRA has no 'rate limiting' or mail limit on filter subscriptions. This means using certain configurations will allow for a significant amount of mail to be created. As this mail is persisted in memory, it's possible to cause OutOfMemoryError's, even with a significant amount of heap...
XSS bug in detail view epic name lozenge rendering
6.1 introduced an xss bug in the detail view, more specifically in the epic field that displays to which epic an issue belongs to...
CreateSupportZipAction directory traversal
There’s a directory traversal vulnerability in the CreateSupportZipAction action that allows a malicious user to include arbitrary log files into a support zip. This is because the SupportUtility object is marked as @ParameterSafe, and no validation is performed on its serverLogsDirectory path...
Accidental XSRF and DoS consumption-of-space issue
We experienced an unusual growth of our nonspaced attachments that appears to be a DoS vunerability both in an accidental way with a workaround and intentional not easily worked around. This is under Confluence 4.0, but appears to probably apply to 4.3.1 as well. It appears the growing nonspaced...
rememberme cookie is not cleared when user changes password in Confluence
When a user changes their password, the seraph cookie is still valid. To avoid this, all entries for the changed user in the table remembermetoken should be removed...
Information disclosure in REST API
REST endpoints to search groups and to list issue resolutions allow anonymous/unauthenticated access. The former allows to enumerate all groups on a JIRA instance by sending multiple queries as results are limited by jira.ajax.autocomplete.limit. We've verified this on an instance without any...
Session expiry pages may echo password in clear text
The "session expiry" and "XSRF token missing" pages will echo any submitted values. This may result in echoing the submitted password to the page in plain text if triggered on the WebSudo authentication page. Modify the error pages sessionexpired.jsp and xsrfmissing.jsp so they don't echo...
The csrf token cookie should be a 'secure' cookie like the sessionid cookie
That is that csrf token cookie 'csrftoken' should have the 'secure' attribute like the session cookie. In django 1.4 setting CSRFCOOKIESECURE to True in settings.py will fix this problem...
ValidationHash generation should use random.SystemRandom instead of random class
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47146. panel ValidationHash generation should use random.SystemRandom instead of the random.Random class when generating a rando...
XSS vulnerability in Office Connector plugin
From: OFFCONN-81: Using "office excel"-macro as part of viewfile, which is part of office connector plugin seems to open up the possibility to get injected with XSS-code. Steps to reproduce: 1. Create an excel-file with following content in one cell: code '"alert'XSS' code 2. Attach this file to ...
persistent xss through svg file attachment download
The fix for CONF-22132 was not sufficient because "svg" files are not "said" to be xml by the isXml method. This means that is possible for a malicious party to upload a svg file containing html/javascript which will be rendered in victim's web browser. This bug should have been raised a while ag...
admin/fixCaseInNotifications.jsp lacks an XSRF token to start 'notifications fix'
admin/fixCaseInNotifications.jsp does not require a csrf to start 'notifications fix'. When fixing this issue, please ensure that the JSP is converted to an action or deleted - we don't want to have to maintain our XSRF infrastructure in JSPs...
admin/createMissingPersonalInfo.jsp lacks an XSRF token to trigger "build Personal Information objects"
admin/createMissingPersonalInfo.jsp doesn't require a csrf token to trigger "build Personal Information objects". When fixing this issue, please ensure that the JSP is converted to an action or deleted - we don't want to have to maintain our XSRF infrastructure in JSPs...
deletion of a comment with a security setting sends a notification to all watchers and the history tab
As a non-atlassian developer, I saw a deletion notification for a comment that I was restricted from viewing. That seems like a security leak. It would be annoying if we're trying to hide discussion from certain users for them to see that the discussion is happening at all, it would raise questio...
Bamboo XML Vulnerability
We have identified and fixed a vulnerability in Bamboo that results from the way third-party XML parsers are used in Bamboo. This vulnerability allows an attacker to: Execute denial of service attacks against the Bamboo server, and Read all local files readable to the system user under which Bamb...
Direct access to issue via url discloses structure without authentication
If an issue is accessed via the direct url an error message discloses if the issue is existent or not - even when the use isn't logged-in. In contrast, an existing issue redirects to the login form. This knowledge may open an attack vector on private Jira instances that require authentication...
RSS feed over entire site gives information on restricted pages the user should not see
A customer has reported this issue via a comment on the documentation: http://confluence.atlassian.com/display/DOC/Working+with+RSS+Feeds?focusedCommentId=276627497comment-276627497 quote When someone has an RSS feed covering the whole Confluence instance, he is informed about changes in restrict...
Do not show registered users in quick search to anonymous users
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-23985. panel Registered users appears in quick search, even when it's a search made by anonymous...
XSS vulnerability in /agent/viewAgent.action resource
We have identified and fixed a reflected cross-site scripting XSS vulnerability in the Bamboo viewAgent.action resource. This issue is reported in our security advisory on this page: https://confluence.atlassian.com/x/rQP5FQ You can read more about XSS attacks at:...
make space admin able to see restricted pages in his own space
This is a request to make space admins able to see the content of restricted pages in their own spaces. Currently only confluence-administrators can do that...
Enumeration of usernames possible in Jira
We found enumeration of usernames to be possible in Jira 4.3.4 despite the login failure message not revealing whether it was the username or password that was incorrect. After 3 failed login attempts a captcha appears only if the user exists, otherwise not. This allows an attacker to enumerate t...
Web Sudo should be able to be subverted for non browsers (eg scripts) via a HTTP header
We do this for XSRF protection. Basically you should be able to subvert the web sudo mechanism via a HTTP header. This posts shows the use case https://answers.atlassian.com/questions/1273/jira-jelly-runner-via-cron-in-v4-3-4 I believe it just as secure since web sudo is really design to stop som...
Implement security sanitization of RSS feeds and other included content
A great improvement for RSS macros would be to implement "cleansing" or "sanitization" of external RSS feeds. This may be something that is configured at the admin level or in the macro level -- I'd prefer it to be a global admin requirement. Having externally linked content is a security risk, a...
Implement security sanitization of RSS feeds and other included content
A great improvement for RSS macros would be to implement "cleansing" or "sanitization" of external RSS feeds. This may be something that is configured at the admin level or in the macro level -- I'd prefer it to be a global admin requirement. Having externally linked content is a security risk, a...
XSS Vulnerability in Issue Links and Labels
We have identified and fixed a number of cross-site scripting XSS vulnerabilities in JIRA issue links and labels. Affected versions are 4.2.x to 4.3.x XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a JIRA page. You can read more about XSS attacks at various...
XSRF vulnerability in the Social Bookmarking plugin
We have identified and fixed a cross-site request forgery XSRF vulnerability which may affect Confluence instances in a public environment. The XSRF vulnerability is exposed in the Confluence Social Bookmarking plugin. Note that the Social Bookmarking plugin is disabled by default. If you do not...
XSRF vulnerability in the Social Bookmarking plugin
We have identified and fixed a cross-site request forgery XSRF vulnerability which may affect Confluence instances in a public environment. The XSRF vulnerability is exposed in the Confluence Social Bookmarking plugin. Note that the Social Bookmarking plugin is disabled by default. If you do not...
Profile picture thumbnail generation can consume unlimited amount of memory
Discovered a Studio customer, you can upload a very large profile picture to expose the same problem as CONF-21480, just in a different area of the application. We should limit the size of images we're willing to load into memory to avoid this problem with user pictures...
XSS vulnerability in the action links of Confluence's attachments lists.
We have identified and fixed a cross-site scripting XSS vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about...
Admin menu items displayed to non-admins when accessing "Global Templates" page
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-21562. panel When accessing the "Global Templates" menu as a non-admin, the navigation controls for the administration panel ar...
Add warning to Shared Dashboards explaining consequence of 'everyone'
In JRA-22207, a warning was added to the "Shared Filters" page explaining what "Everyone" actually means. The "Shared Dashboards" screen also needs this warning. Please also search in the code for anywhere else this permissions-setting control is used...
XSS vulnerability in Bookmarks macro
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence bookmarks macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...
Implement salting of user passwords
Salting and Hashing of user passwords will require us to provide an upgrade path for users since all existing passwords will become invalid. This change should use the atlassian-security password encode library SEC-1...
XSS in filter.subscription.prefix.monthDay parameter of /secure/FilterSubscription.jspa
http://172.16.230.130:8080/secure/FilterSubscription.jspa?filter.subscription.prefix.interval=180&groupName=jira-users&filter.subscription.prefix.runFromMins=00&nextRun=&filter.subscription.prefix.runToMins=00&filter.subscription.prefix.runToMeridian=pm&filter.subscription.prefix.week=2&filter.su...
Intermittent Session Lost During Add/Edit Page in Firefox
We customized Seraph to integrate with our SSO Server. Seraph will perform session validation through cookies. When using firefox, we found that in 1 out of 5 to 8 times when we edit a page or add a new page, we will lose our session and be directed back to the login page. This does not happen in...
Google Chrome shows mixed content warning
Hello, when JIRA is requested via https with Google Chrome 6.0.472.63 on all URLs of JIRA https is in red, crossed out and a padlock with red cross is shown with this description: "Your connection is encrypted with 128-bit encryption. However, this page includes other resources which are not...
XSS vulnerability in Office Connector
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence Office Connector. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An...
Page view restriction is not inheriting to child pages in some spaces
When a new page is created using the create-page macro the child page does not have restrictions inherited. This is only happening for a few spaces. If I try the same macro in another space it will work fine. I have rebuilt the ancestors table but this issue is still happening. Please advise...
Confluence should not allow configuration of Office Connector temporary storage location
Earlier versions of Confluence allow the administrator to set the temporary storage location for the View File macro, part of the Office Connector. Provided an attacker has gained administrative access to the system in some way, they could then exploit this vulnerability to save malicious files...
websudo annotation backwards compatibility (Confluence 3.3)
Following this guide|http://confluence.atlassian.com/pages/viewpage.action?pageId=219021702, I started to use the websudo annotations to secure an XWork action that would process a form in the space admin tab. The plugin is meant to work with Confluence 3.3 and I haven't released a public version...
XSS in mailpage plugin
XSS vulnerability has been reported against the mailpage plugin. It allows an attacker to execute arbitrary javascript. A new version of the issue has been released that fixes this problem...
500page.jsp Improvements
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-19601. panel Some further improvements to the 500page.jsp: The following should not appear if there is no stack trace: quote Cau...