Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
•added 2025/08/07 7:8 a.m.•15 views

DoS (Denial of Service) Third-Party Dependency in Bamboo Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 9.6.0, 10.2.0, and 11.0.0 of Bamboo Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS7.2AI score0.0196EPSS
Exploits0
Atlassian
Atlassian
•added 2025/06/06 5:8 a.m.•15 views

Improper Authorization spring-security-crypto dependency in Bamboo Data Center

This High severity spring-security-crypto dependency vulnerability was introduced in versions 9.6.0, 10.1.0, and 10.2.0 of Bamboo Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.4 and a CVSS Vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N allows an...

7.4CVSS7.4AI score0.00568EPSS
Exploits0
Atlassian
Atlassian
•added 2025/05/22 11:8 p.m.•15 views

DoS (Denial of Service) Third-Party Dependency in Confluence Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in version 7.19 of Confluence Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to...

7.5CVSS7.3AI score0.01119EPSS
Exploits1
Atlassian
Atlassian
•added 2025/05/14 5:9 a.m.•15 views

DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.9.4, 8.13.4, 8.14.3, 8.15.2, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score o...

7.5CVSS6.8AI score0.01966EPSS
Exploits1
Atlassian
Atlassian
•added 2018/11/12 3:39 a.m.•15 views

Captcha doesn't work for page preview comment

Steps to reproduce: go to Configuration - Spam Prevention turn on Captcha for everyone create a page with image click the image to preview try to make a comment on the image Expected: User needs to enter the captcha to submit the comment Actual: User can submit the comment without entering the...

7.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/06/14 12:29 p.m.•15 views

group normalisation from 4.0 upgrade tasks is breaking permissions

Group normalisation from 4.0 upgrade tasks is breaking permissions. Scenario: backup created for 3.1.7 instance, repo "repo-uppercase-access" configured with "GROUP-A" can read access backup file restored on 4.1 instance, I can see following messages in the upgrade log code$ grep -i renam...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/05/20 9:54 a.m.•15 views

Cannot sign commits and tags for Git Flow

The Git Flow actions do not have an option to sign off commits and tags. Unlike a commit or tag created manually, there is no Sign tag option. See attachment for reference to Add Tag feature that has the Sign tag option...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2016/04/22 2:13 p.m.•15 views

users without "delete attachment permission" can delete attachment

go to space tools permissions and remove the permission of user X to delete attachments go to a page of that space which contains an attachment go to attachments no "delete" link available / expand an attachment to see older versionns including current version for each version there is the...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/06/04 10:6 p.m.•15 views

Remove old plugin manager

The old plugin manager is still available in confluence if you know the URL ../admin/viewplugins.action it looks quite terrible and given it is almost an unknown feature most of the current Confluence Team would not know to fix it if there are security problems with it. It was kept when we put UP...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/06/03 7:44 p.m.•15 views

Users with only View Space permission are able to edit Space Questions

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-46923. panel h2. Problem Summary Users are able to edit any Space Questions as long as they have View permissions for that spac...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/06/03 8:28 a.m.•15 views

XSS in JIRA via PDF attachment

PDF attachments are considered active content and can be used to xss users...

3.2AI score
Exploits0
Atlassian
Atlassian
•added 2015/06/03 8:28 a.m.•15 views

XSS in JIRA via PDF attachment

PDF attachments are considered active content and can be used to xss users...

3.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/03/25 1:19 p.m.•15 views

Sensitive information displayed in anonymous REST API calls

h4. Expected behavior Block sensitive information from being displayed on anonymous REST API calls in JIRA. h4. Actual behavior Users' full-name are displayed when running the calls below: noformat /user/picker?query= /groupuserpicker?query=ali&showAvatar noformat Default fields and custom fields...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/01/13 9:50 a.m.•15 views

User receiving notification from a restricted space

h6. Steps to replicate Download Confluence 5.5.2. Create an user "test". Create a group "testing". Add the user "test" into group "testing". Create a space name "Permission". Restrict the space to group "testing". Access Confluence as user "Test". Access the page name "Permission" and watch the...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2015/01/09 12:26 a.m.•15 views

OGNL Double Evaluation Vulnerability

We have discovered and fixed a vulnerability in our fork of one of Apache Struts libraries. Attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Bamboo web interface. All versions of Bamboo up t...

2.8AI score
Exploits0
Atlassian
Atlassian
•added 2014/10/14 5:42 p.m.•15 views

Adding Subscription Cal by URL stores user password unencrypted

I discovered that calendar subscriptions not only store user credentials, but do so unencrypted!!! There is really no excuse for this. Subscribe to a calendar by url, then in the DB : code SELECT TOP 1000 ID ,KEY ,SUBCALENDARID ,VALUE FROM YOUR-DB-NAME.dbo.AO950DC3TCSUBCALSPROPS code As an...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/10/14 3:23 a.m.•15 views

Mail sever configuration page sends mail server password back in the html

The mail server configuration page fills in the current mail server password in the html and it should not. Instead a place-holder value should be used instead of the current password value and if the place-holder value is submitted in a request then the mail server password is not updated...

0.7AI score
Exploits0
Atlassian
Atlassian
•added 2014/10/08 7:14 a.m.•15 views

Session ID URL's in logfile

Hi, In the logfiles you can see the session ID's in the URL. Can this be used to hack into a another account?...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/10/07 4:8 a.m.•15 views

"Recently updated" plugin can be used to reflect arbitrary static content to browser

This request: noformat /plugins/recently-updated/changes.action?theme=XXXXXXXX noformat results in the response: noformat HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1412654577325...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/10/01 1:24 a.m.•15 views

Confluence search returns results from Questions, eventhough CQ does not have anonymous "can-use" permissions

h4.Steps to Reproduce: Install CQ "1.0.618" or "1.0.618.001" Make sure that CQ does not have anonymous access Browse through Confluence as anonymous Do a search h4.Expected Results: Results should not contain anything from Questions. h4.Actual Results: Results show Questions topics, but upon...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/07/08 8:1 p.m.•15 views

Can't push subtree

As requested in answer to my stackoverflow http://stackoverflow.com/questions/24637748/cant-push-subtree-using-sourcetree post I'm posting this potential bug here. Using a basic schema for git subtree I created 2 repository on Github: "project" and "framework" and made the followings: - Clone...

7.1AI score
Exploits0
Atlassian
Atlassian
•added 2014/06/10 7:12 p.m.•15 views

Hide passwords in ps aux for https git tasks

When git checkout tasks configured to use HTTPS run, the user and password are exposed in ps aux: noformat bamboo 15138 0.0 0.0 86752 2224 ? S May20 0:00 git-remote-https https://gituser:[email protected]/scm/consumer/XXXX.git...

Exploits0Affected Software1
Atlassian
Atlassian
•added 2014/05/26 11:49 a.m.•15 views

Direct Object Reference - User Information Disclosure

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46864. panel A direct object reference vulnerability exists on the answers.atlassian.com platform which allows for malicious use...

0.5AI score
Exploits0
Atlassian
Atlassian
•added 2014/05/08 7:34 a.m.•15 views

Applink configuration data is exposed anonymously

panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-38225. panel If you make an anonymous GET request to /rest/issueLinkAppLink/1/appLink/info , the instance will tell you all the names, IDs an...

7.3AI score
Exploits0
Atlassian
Atlassian
•added 2014/01/01 11:26 p.m.•15 views

Content with inherited restrictions still appears in search results

I don't know the full story here but there have been numerous reports on EAC now of cases where clicking on a search result gives a 'Not permitted' response. Further investigation by an admin will show that in these cases a parent or grandparent has viewing restrictions applied. It would appear...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2013/11/21 4:35 a.m.•15 views

Privilege escalation

We have identified and fixed a vulnerability in Stash which allowed unauthenticated users to commit actions on behalf of any other authorised user. In order to exploit this vulnerability, an attacker requires access to your Stash web interface. The Stash server is only vulnerable if it has been...

3AI score
Exploits0
Atlassian
Atlassian
•added 2013/10/11 3:47 a.m.•15 views

doeditdefaultspacepermissions.action vulnerable to CSRF

EditSpacePermissionDefaultsAction, execute...

3.8AI score
Exploits0
Atlassian
Atlassian
•added 2013/08/08 5:20 p.m.•15 views

Persistent XSS in Username field

The XSS vulnerability is only present in some parts of the UI where the username is incorrectly marked as "safe" for HTML output. Known vulnerability points: When viewing a user's activity stream on their profile page When viewing the site-wide activity stream in the Administrative UI This...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2013/06/20 8:12 a.m.•15 views

Allow cookie-less instance for security reasons

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-29687. panel Allow administrators to completely remove 'remember me' and disallow remembering usernames and passwords via HTML5...

2.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2013/03/04 11:16 p.m.•15 views

User receives an email even though they don't have access to the page where a task was unassigned

h3. Steps to reproduce: Find/Create a space that has restricted view access Create a page and assign a task to a user that doesn't have view access to the page. Save the page. User does not receive an email, and the task does not show up in the user's to-do correct behavior Edit the page and...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2012/04/19 4:35 a.m.•15 views

admin/fixcwdmemberships.jsp lacks an XSRF token to run the repair action.

admin/fixcwdmemberships.jsp does not require a csrf token to run the repair action. When fixing this issue, please ensure that the JSP is converted to an action or deleted - we don't want to have to maintain our XSRF infrastructure in JSPs...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2012/01/12 1:54 p.m.•15 views

LogToServer action lets anyone log messages to the server log

Available without authentication. This can be used to hide breakin attempts or fill the disk if no log rotation is in place...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/07/09 1:35 a.m.•15 views

Support web sudo and other password confirmation features with custom authenticators

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-22875. panel By default, web sudo and other password confirmation features in Confluence 3.5 and later are disabled if a custom...

Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/05/30 7:4 p.m.•15 views

Cross-Site Request Forgery

Cross-Site Request Forgery Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to Cross-Site Request Forgery attacks within this URL: /jira/plugins/servlet/streamscomments This vulnerability enables...

7.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2011/04/21 1:16 a.m.•15 views

XSS vulnerability in Crucible's Snippets

We have identified and fixed a cross-site scripting XSS vulnerability in the Crucible Snippets. Affected versions are Crucible 2.4.5 to 2.5.0 inclusive. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye/Crucible page. You can read more about XSS attack...

Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/12/03 3:25 a.m.•15 views

XSS vulnerability in Pagetree macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence pagetree macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...

Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/09/22 6:24 a.m.•15 views

restrict the access to JIRA for specific pairs "user account - host"

to be able to restrict the access to JIRA for specific pairs "user account - host" also to provide: 1. specify checkbox user account - "any host" 2. specify multiple hosts for one user account 3. to use Windows AD containers such distribution groups and computer groups in tool of the coding of...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/09/16 1:30 p.m.•15 views

Can't set visibility on comment created via Activity Stream Gadget

I can't restrict the visibility of an comment created via the activity stream gadget. In our environment it is important for us to have this feature available everywhere where users are able to create comments on issues...

4.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/08/23 9:46 a.m.•15 views

Property for enabling/disabling viewage of Jira administrators

As of JRA-21004, it also happened that the Administrator page does not show the administrators anymore. This patch is enables through one property in jira-atlassian.properties, and it resolves severall problems. We would prefer that there is a property like jira.administrators.show=true/false,...

3.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/08/02 5:14 a.m.•15 views

Secure Administrator Sessions feature can be bypassed

In some circumstances an attacker may be able to craft a request to a Confluence server that bypasses the additional layer of security added by the new Secure Administrator Sessions feature introduced in Confluence 3.3. This would allow an attacker to perform administrative functions on Confluenc...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/06/21 6:16 a.m.•15 views

XSS vulnerability in Clickr theme

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence Clickr theme. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An attacker...

Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/06/21 6:16 a.m.•15 views

XSS vulnerability in Clickr theme

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence Clickr theme. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An attacker...

Exploits0
Atlassian
Atlassian
•added 2010/06/17 8:46 a.m.•15 views

Can not UPDATE the "Viewable By" field of an issue

After the creation of an issue it is by default viewable by "All Users". It is not possible to change the value after re-editing that issue. After changing it and clicking the "Update" button, the viewable by entry stays "All Users"...

3.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/05/20 3:13 a.m.•15 views

Pluggable CAPTCHA

CAPTCHA should be pluggable in JIRA CAPTCHA|http://en.wikipedia.org/wiki/CAPTCHA is supposed to stop spam and other automated nefarious usage of systems. But there is an arms race of CAPTCHA breaking|http://www.slightlyshadyseo.com/index.php/xmcps-how-tobasic-captcha-cracking-techniques-part-1/ a...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/05/20 3:2 a.m.•15 views

Password strength measurement and restriction

Enable password strength rules to tell the user the effective strength of the password they choose optionally allow administrators to restrict the minimum strength of passwords chosen by users be pluggable Currently you can enforce password strength by using JIRA with Crowd...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/22 5:52 a.m.•15 views

XSS vulnerability in some JSPs under admin section

Several JSPs found under the admin section of Confluence have been found to be vulnerable to XSS attacks. This issue corrects those problems. This issue is rated HIGH. Please refer to http://confluence.atlassian.com/x/ZILmD for information on other security related issues and more information on...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/22 5:28 a.m.•15 views

Only strings are encoded

The XML encoder only encodes strings. This could make Confluence return non encoded content. This issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for more security related issue and more information on how we rate issues...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/04/16 4:36 a.m.•15 views

runportleterror.jsp contains XSS hole

The runportleterror.jsp contains an XSS attach vector via the unescaped 'portletKey' URL parameter. The parameter should be escaped properly...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/03/16 1:0 a.m.•15 views

Custom fileds inconsistently escaped in view and edit screens

Steps to replicate: Create a custom field and name it Hithere On view issue screens, the field appears as Hithere On edit issue screen, the field appears as Hithere on red font I guess we need to make a decision on which one is the desired functionality allow HTML or not and make it consistent...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
•added 2010/03/01 3:54 a.m.•15 views

JQL breaks issue security levels based on custom fields

The MultiSelectCustomFieldIndexer does 2 things: index but don't store a case-folded version in the field "customfield10017:retail" store a "raw" version in a new field with the raw added to the end "customfield10017raw:Retail" The problem is that com.atlassian.jira.security.type.GroupCF looks fo...

2.7AI score
Exploits0Affected Software1
Total number of security vulnerabilities4295