4295 matches found
Restrictions do not apply in calendar macro
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-49762. panel Team Calendar restrictions do not apply if the calendar is in a Calendar Macro withing a Confluence page. +Repro...
Processing malformed PNG by incoming mail handler causes OOM and blocks queue
There are two problems: 1. OOM 2. Incoming email processing is blocked Looks like this is similar problem to JRA-35816, fixed in atlassian-core, but mail handler does not use atlassian-core. It affects production OnDemand, all instances. codejava.lang.OutOfMemoryError: Java heap space Dumping hea...
Improve filter behaviour: auto-complete should not give away field values
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-36881. panel h4. Context When using JQL with auto-complete switched on, searching for fields will always list global values. For instance,...
Content with inherited restrictions still appears in search results
I don't know the full story here but there have been numerous reports on EAC now of cases where clicking on a search result gives a 'Not permitted' response. Further investigation by an admin will show that in these cases a parent or grandparent has viewing restrictions applied. It would appear...
DOM XSS in dhtmlHistory.js when using IE
In the createIE function inside dhtmlHistory.js|https://stash.atlassian.com/projects/JIRA/repos/jira/browse/jira-components/jira-webapp/src/main/webapp/includes/lib/dhtmlhistory/dhtmlHistory.js333 the value of the fragment identifier, is concatenated to create the html of an iframe without first...
Miscellaneous actions are vulnerable to CSRF
This issue is to track the following subset of actions from CONF-27690: StartClusterAction, execute ExternalUserConnectivityAction, execute HandleNameConflictsAction, execute FlushIndexQueueAction, execute ContentRemigrationAction, execute...
User lister action has no cross-site request forgery (XSRF) protection
Confluence allows an administrator to configure the groups which will not be allowed for member listing by the userlister macro. The doconfigure action that implements this functionality is vulnerable to cross-site request forgery XSRF. An attacker who exploited this vulnerability could cause the...
Arbitrary file or URL download in ExportWordPageServer
To reproduce: 1. Create a new page. 2. Insert an image with URL: code:none file:///etc/passwd code Edit the page, click +, click Image, select the From the Web tab, enter the file: URL shown above, click Insert, click Save. The image appears invisible on some browsers, but you can verify its...
'self' xss reported in a question's moderate
We have received an external report of a dom xss in the moderation code for a question on answers.atlassian.com. quote 1 DOM XSS Go to https://answers.atlassian.com/ Prepare an question ,after savin it go to the question ,there is an option of "Moderate" ,click it ,there is an option to "Create...
Force password reset for all users
Administrators should have an easy way to force users to change passwords in bulk format in emergencies. Has this been discussed as a possible feature? Are there drawbacks to having a mass password reset force in administration? Would setting password expiration to 1 day expire all passwords in 2...
XSS Vulnerability - delete filter confirmation
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-34074. panel Similar to JRA-31564, an XSS bug exists in the delete filter success screen. Steps to reproduce: 1. Search for issues. 2. Choose...
XSS Vulnerability - delete filter confirmation
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-34074. panel Similar to JRA-31564, an XSS bug exists in the delete filter success screen. Steps to reproduce: 1. Search for issues. 2. Choose...
XSS vulnerabilities in Atlassian Answers
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-47042. panel Some users seem to try XSS attack on Atlassian Answers. How to replicate is the following steps. Go to the top pag...
Turning off Anti-XSRF mode has no effect
Turning off Anti-XSRF protection for comments does not have the desired effect. Even if the setting is turned off adding comments is not possible, due to an XSRF warning...
Several XSS flaws in the /rest/tinymce/1
I've found several XSS in the urls and parameters listed below. The criticality of the issues is moderated since only browsers that perform content sniffing would be affected e.g. IE7. This limitation comes from the response's Content Type header being set as text/plain. The classical payload...
External image sources can trigger a basic authentication dialogue
When an external resourcee.g. http://foo.com/image.jpeg is used as the source of an image tag, if the external resource returns a 401 response code and sets a WWW-Authenticate header then the browsers standard 'Basic authentication' dialogue will pop up within on the confluence page. While this i...
Restrict access to personal pages and directory
We need to restrict access to personal pages and the directory. At present, there doesn't seem to be any way to do this. We have some guest accounts that we want to share a particular space with but unfortunately, we can not do that as all of the content in personal spaces and our directory are...
Customized variables whose values are hidden passwords are unmasked revealing the password in the build summary
Step to replicate Create two variables passworder and Passworder notice p with caps Run a customize build overridden the contents of the field While the fields remains hidden in the metadata as expected, the variable with capital P has it values revealed in the build summary see screenshot...
Fix XSS vulnerabilities in managereferrers.vm and importword.vm
Scope of this issue is to address two specific XSS vulnerabilies. The scope of fixing i18n parameters is tracked elsewhere|https://jira.atlassian.com/browse/CONF-15548. Please see the comment below for...
Potential persistent xss in fixCaseInNotifications.jsp
There is a difficult to exploit XSS in fixCaseInNotifications.jsp. We could not get it to trigger, but there are some scenarios where unescaped data can be displayed through fix method correctName, userNameToFix. The relevant code is as follows: code NotificationCaseFixer caseFixer = new...
The application should return caching directives instructing browsers not to store local copies of any sensitive data.
We want to control the server's caching directives from within individual scripts. We have identified following locations, where we can provide HTTP headers 'Cache-control: no-store' and 'Pragma: no-cache'. Please provide these response headers to the following identified locations and to all oth...
Session ID and remember me cookie should expire when LDAP user password is changed
Steps to reproduce Login as a normal Confluence user In another browser or in incognito mode, login as system administrator Go to Confluence Admin Manage Users and click on the user Click Set Password and set a different password for this user Refresh the page and the user can still access the pa...
ldap injection in the custom atlassian authentication code
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47275. panel The custom atlassian ldap authentication code is vulnerable to ldap injection. The method which is vulnerable to ld...
The csrf token cookie should be a 'secure' cookie like the sessionid cookie
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46613. panel That is that csrf token cookie 'csrftoken' should have the 'secure' attribute like the session cookie. In django 1....
ValidationHash generation should use random.SystemRandom instead of random class
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47146. panel ValidationHash generation should use random.SystemRandom instead of the random.Random class when generating a rando...
Potential remote code execution due to embedding of old django-piston
The exposed atlassian api for forummodules found under forummodules/atlassian/api uses an outdated version of django-piston which does not contain the fix for a remote code execution bug due to the use of yaml.load instead of safeload in the emitters.py python scripton line 412. Whilst it appears...
User can upload attachments to restricted pages that adopt restrictions from parent page
Users that should have no access to restricted pages that adopt restrictions from the parent page are able to upload attachments if they know the page ID. How to reproduce: 1. Create 2 users, user1 and user2 2. Create a page with user1 and set the page view and edit restrictions to "Me" 3. Create...
persistent xss through flash swf file attachment download
It is possible to upload a flash swf file which when the attachment 'download' url is visited the flash swf file is executed in the browser and as such can use ExternalInterface.call method to inject javascript defined in the swf file into the browser...
OauthApplinksServlet Open Redirect
The OauthApplinksServlet servlet has an open redirect vulnerability in the doGet that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated before redirec...
'/users/userpicker.action' exposes users loginids and full names in instance with anonymous access enabled
quote LDAP directory users and groups exposed via the /users/userpicker.action. There should be an option to restrict this to authenticated users only and perhaps this should be the default behavior. quote quote The second exposed function that is part of this vulnerability is...
admin/fixcwdmemberships.jsp lacks an XSRF token to run the repair action.
admin/fixcwdmemberships.jsp does not require a csrf token to run the repair action. When fixing this issue, please ensure that the JSP is converted to an action or deleted - we don't want to have to maintain our XSRF infrastructure in JSPs...
Improve the default SSL cipherset in standalone JIRA setup
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-27681. panel We are concerned about 'SSL Weak Cipher Suites Supported' and 'SSL Medium Strength Cipher Suites Suppored'. Any suggestions wou...
RSS feed over entire site gives information on restricted pages the user should not see
A customer has reported this issue via a comment on the documentation: http://confluence.atlassian.com/display/DOC/Working+with+RSS+Feeds?focusedCommentId=276627497comment-276627497 quote When someone has an RSS feed covering the whole Confluence instance, he is informed about changes in restrict...
Enumeration of usernames possible in Jira
We found enumeration of usernames to be possible in Jira 4.3.4 despite the login failure message not revealing whether it was the username or password that was incorrect. After 3 failed login attempts a captcha appears only if the user exists, otherwise not. This allows an attacker to enumerate t...
GeneralUtil.htmlEscapeQuotes should be annotated HtmlSafe
The GeneralUtil.htmlEscapeQuotes method outputs HTML and thus should be annotated as @HtmlSafe. Not doing so causes its output to be double escaped when automatic escaping is enabled for the plugin/velocity template...
On internal error, JIRA will display error information to the user (in the browser)
When JIRA bundled tomcat?? encounters an internal error it displays error information to the user in the browser. This can leak internal, possibly sensitive, information. It should report that there was an error and inform the user to contact their JIRA admin...
When configured for Internal Database with LDAP for Authentication Only, Confluence does not check the LDAP when authenticating users
Configured Confluence to keep and manage users in its internal database, but to first try to use LDAP for authentication only, via the new interface. Debug output suggests Confluence is not bothering to check the LDAP at any point during the authentication process. More detail is available here:...
Security Vulnerability in Confluence Remote API
We have identified and fixed a vulnerability in the Remote API which affects Confluence instances, including publicly available instances. The Remote API|http://confluence.atlassian.com/display/DOC/Enabling+the+Remote+API allows an attacker to escalate user privileges, excluding the level of syst...
XSS vulnerability in Office Connector
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence Office Connector. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An...
Property for enabling/disabling viewage of Jira administrators
As of JRA-21004, it also happened that the Administrator page does not show the administrators anymore. This patch is enables through one property in jira-atlassian.properties, and it resolves severall problems. We would prefer that there is a property like jira.administrators.show=true/false,...
XSS vulnerability in PDF export
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence action that performs the export to PDF. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's o...
Can not UPDATE the "Viewable By" field of an issue
After the creation of an issue it is by default viewable by "All Users". It is not possible to change the value after re-editing that issue. After changing it and clicking the "Update" button, the viewable by entry stays "All Users"...
WebSudo should be disabled in devmode
When confluence is started in dev mode, websudo should be disabled...
Password strength measurement and restriction
Enable password strength rules to tell the user the effective strength of the password they choose optionally allow administrators to restrict the minimum strength of passwords chosen by users be pluggable Currently you can enforce password strength by using JIRA with Crowd...
Only strings are encoded
The XML encoder only encodes strings. This could make Confluence return non encoded content. This issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for more security related issue and more information on how we rate issues...
XSS vulnerability in search
An XSS vulnerability has been found in the searching component of Confluence...
Miscellaneous support-related JSPs contain XSS holes
JIRA contains a number of support related JSPs that have been added over the years. They were mostly for fighting spam and other support related tasks. Unfortunately none of these were ever tested very much and contain a lot of XSS holes. They are: groupnames.jsp indexbrowser.jsp...
Allow non-Administrators to be able to modify workflows
As an IT Manager, by having to add users to the Administrators group in order to edit and manage workflows is prohibitive to the administration and security of our Jira environment. While I want users to create, manage and edit workflows, I do NOT want them creating or modifying accounts which...
Version number
I notice that the JIRA footer displays the current version of JIRA. Revealing the specifics of the revisions of software that you run in production is generally considered a bad security practice. Is there a reason that it is displayed openly to all users in licensed versions of the product? Is i...
Changing system locale means users with non-ASCII characters in their passwords cannot authenticate
The OSUser and Atlassian-User authenticators used by Confluence convert a password into bytes before hashing it. This conversion doesn't specify which encoding should be used, so the system's default encoding is used. If the system administrator changes the locale settings on the server or change...