Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2012/04/19 4:35 a.m.15 views

admin/fixcwdmemberships.jsp lacks an XSRF token to run the repair action.

admin/fixcwdmemberships.jsp does not require a csrf token to run the repair action. When fixing this issue, please ensure that the JSP is converted to an action or deleted - we don't want to have to maintain our XSRF infrastructure in JSPs...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/04/19 1:22 a.m.15 views

admin/createMissingPersonalInfo.jsp lacks an XSRF token to trigger "build Personal Information objects"

admin/createMissingPersonalInfo.jsp doesn't require a csrf token to trigger "build Personal Information objects". When fixing this issue, please ensure that the JSP is converted to an action or deleted - we don't want to have to maintain our XSRF infrastructure in JSPs...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/03/26 4:53 a.m.15 views

Bamboo XML Vulnerability

We have identified and fixed a vulnerability in Bamboo that results from the way third-party XML parsers are used in Bamboo. This vulnerability allows an attacker to: Execute denial of service attacks against the Bamboo server, and Read all local files readable to the system user under which Bamb...

3.3AI score
Exploits0
Atlassian
Atlassian
added 2011/10/26 2:8 a.m.15 views

XSS vulnerability in /agent/viewAgent.action resource

We have identified and fixed a reflected cross-site scripting XSS vulnerability in the Bamboo viewAgent.action resource. This issue is reported in our security advisory on this page: https://confluence.atlassian.com/x/rQP5FQ You can read more about XSS attacks at:...

Exploits0Affected Software1
Atlassian
Atlassian
added 2011/07/14 1:8 p.m.15 views

Enumeration of usernames possible in Jira

We found enumeration of usernames to be possible in Jira 4.3.4 despite the login failure message not revealing whether it was the username or password that was incorrect. After 3 failed login attempts a captcha appears only if the user exists, otherwise not. This allows an attacker to enumerate t...

2.3AI score
Exploits0
Atlassian
Atlassian
added 2011/06/14 10:6 p.m.15 views

Implement security sanitization of RSS feeds and other included content

A great improvement for RSS macros would be to implement "cleansing" or "sanitization" of external RSS feeds. This may be something that is configured at the admin level or in the macro level -- I'd prefer it to be a global admin requirement. Having externally linked content is a security risk, a...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/05/30 7:4 p.m.15 views

Cross-Site Request Forgery

Cross-Site Request Forgery Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to Cross-Site Request Forgery attacks within this URL: /jira/plugins/servlet/streamscomments This vulnerability enables...

7.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/04/21 1:16 a.m.15 views

XSS vulnerability in Crucible's Snippets

We have identified and fixed a cross-site scripting XSS vulnerability in the Crucible Snippets. Affected versions are Crucible 2.4.5 to 2.5.0 inclusive. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye/Crucible page. You can read more about XSS attack...

Exploits0Affected Software1
Atlassian
Atlassian
added 2011/02/03 11:20 p.m.15 views

XSS vulnerability in the action links of Confluence's attachments lists.

We have identified and fixed a cross-site scripting XSS vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/12/03 3:25 a.m.15 views

XSS vulnerability in Pagetree macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence pagetree macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...

Exploits0Affected Software1
Atlassian
Atlassian
added 2010/09/22 6:24 a.m.15 views

restrict the access to JIRA for specific pairs "user account - host"

to be able to restrict the access to JIRA for specific pairs "user account - host" also to provide: 1. specify checkbox user account - "any host" 2. specify multiple hosts for one user account 3. to use Windows AD containers such distribution groups and computer groups in tool of the coding of...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/09/16 1:30 p.m.15 views

Can't set visibility on comment created via Activity Stream Gadget

I can't restrict the visibility of an comment created via the activity stream gadget. In our environment it is important for us to have this feature available everywhere where users are able to create comments on issues...

4.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/08/23 9:46 a.m.15 views

Property for enabling/disabling viewage of Jira administrators

As of JRA-21004, it also happened that the Administrator page does not show the administrators anymore. This patch is enables through one property in jira-atlassian.properties, and it resolves severall problems. We would prefer that there is a property like jira.administrators.show=true/false,...

3.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/08/02 5:14 a.m.15 views

Secure Administrator Sessions feature can be bypassed

In some circumstances an attacker may be able to craft a request to a Confluence server that bypasses the additional layer of security added by the new Secure Administrator Sessions feature introduced in Confluence 3.3. This would allow an attacker to perform administrative functions on Confluenc...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/06/21 6:16 a.m.15 views

XSS vulnerability in Clickr theme

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence Clickr theme. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An attacker...

Exploits0Affected Software1
Atlassian
Atlassian
added 2010/06/21 6:16 a.m.15 views

XSS vulnerability in Clickr theme

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence Clickr theme. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An attacker...

Exploits0
Atlassian
Atlassian
added 2010/06/17 8:46 a.m.15 views

Can not UPDATE the "Viewable By" field of an issue

After the creation of an issue it is by default viewable by "All Users". It is not possible to change the value after re-editing that issue. After changing it and clicking the "Update" button, the viewable by entry stays "All Users"...

3.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/05/26 3:3 a.m.15 views

XSS in mailpage plugin

XSS vulnerability has been reported against the mailpage plugin. It allows an attacker to execute arbitrary javascript. A new version of the issue has been released that fixes this problem...

4.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/05/20 3:13 a.m.15 views

Pluggable CAPTCHA

CAPTCHA should be pluggable in JIRA CAPTCHA|http://en.wikipedia.org/wiki/CAPTCHA is supposed to stop spam and other automated nefarious usage of systems. But there is an arms race of CAPTCHA breaking|http://www.slightlyshadyseo.com/index.php/xmcps-how-tobasic-captcha-cracking-techniques-part-1/ a...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/05/20 3:2 a.m.15 views

Password strength measurement and restriction

Enable password strength rules to tell the user the effective strength of the password they choose optionally allow administrators to restrict the minimum strength of passwords chosen by users be pluggable Currently you can enforce password strength by using JIRA with Crowd...

2.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/05/11 11:35 p.m.15 views

500page.jsp Improvements

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-19601. panel Some further improvements to the 500page.jsp: The following should not appear if there is no stack trace: quote Cau...

1.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/22 5:52 a.m.15 views

XSS vulnerability in some JSPs under admin section

Several JSPs found under the admin section of Confluence have been found to be vulnerable to XSS attacks. This issue corrects those problems. This issue is rated HIGH. Please refer to http://confluence.atlassian.com/x/ZILmD for information on other security related issues and more information on...

0.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/22 5:28 a.m.15 views

Only strings are encoded

The XML encoder only encodes strings. This could make Confluence return non encoded content. This issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for more security related issue and more information on how we rate issues...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/04/16 4:36 a.m.15 views

runportleterror.jsp contains XSS hole

The runportleterror.jsp contains an XSS attach vector via the unescaped 'portletKey' URL parameter. The parameter should be escaped properly...

2.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/03/23 2:46 p.m.15 views

Allow non-Administrators to be able to modify workflows

As an IT Manager, by having to add users to the Administrators group in order to edit and manage workflows is prohibitive to the administration and security of our Jira environment. While I want users to create, manage and edit workflows, I do NOT want them creating or modifying accounts which...

3.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/03/16 1:0 a.m.15 views

Custom fileds inconsistently escaped in view and edit screens

Steps to replicate: Create a custom field and name it Hithere On view issue screens, the field appears as Hithere On edit issue screen, the field appears as Hithere on red font I guess we need to make a decision on which one is the desired functionality allow HTML or not and make it consistent...

0.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/03/01 3:54 a.m.15 views

JQL breaks issue security levels based on custom fields

The MultiSelectCustomFieldIndexer does 2 things: index but don't store a case-folded version in the field "customfield10017:retail" store a "raw" version in a new field with the raw added to the end "customfield10017raw:Retail" The problem is that com.atlassian.jira.security.type.GroupCF looks fo...

2.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/02/24 1:11 a.m.15 views

Version number

I notice that the JIRA footer displays the current version of JIRA. Revealing the specifics of the revisions of software that you run in production is generally considered a bad security practice. Is there a reason that it is displayed openly to all users in licensed versions of the product? Is i...

4.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/02/04 9:0 p.m.15 views

Confluence adminsistrators can still view a restricted page if the type in the URL or click on a link in an email

If I set page viewing restrictions on a wki page to one group of which I am a member, other users, including confluence adminsistrators, cannot see the page when navigating within the application. If they type in the URL of the restricted page or click on a link to the restricted page, then can...

2.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/12/10 6:55 p.m.15 views

Remove database passwords from the file system.

Currently if you connect Jira to an external database, you must store the database credentials on the file system either in the server.xml file Jira standalone, or in an equivalent file. This has security implications. Can we modify the application to not store this information on the file system...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/12/07 3:45 a.m.15 views

KB "Running JIRA over SSL or HTTPS" needs review for Windows Standalone scenario

There are three recommended updates to the KB Running JIRA over SSL or HTTPS|http://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS based on customer feedback. 1. quote When asked to "What is your first and last name" make sure you enter in the DNS name that you will use to...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/12/02 4:10 a.m.15 views

User's Full Name is an XSS vector in Status Updates tab of User Profile

A user's full name is an XSS vector when viewing the "Status Updates" tab of the user profile. 1 Set a user's Full Name as "alertdocument.cookie". 2 Log out. 3 If anonymous access is disabled, log in as a different user, otherwise, continue as Anonymous. 4 Go to the profile page for the user...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/10/21 1:33 a.m.15 views

Confluence users should inherit permissions from the anonymous user

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-17278. panel This has been derived from CONF-4955|http://jira.atlassian.com/browse/CONF-4955. The above seems to have been fixe...

3.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/09/09 5:2 a.m.15 views

admin gadget rest endpoint information leak

the admin rest endpoint can return admin-only information even if the end user is not an admin...

1.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/08/26 1:55 p.m.15 views

Add a password lockout feature

Confluence does not prevent someone from making a script that tries every possible password combination for a Confluence account. There should be an option to set a max attempts and then lock out the user from the system. This is obviously a security problem as Confluence within most companies us...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/08/12 6:33 p.m.15 views

Uploading large fonts for PDF export fails with XSRF error

When uploading souizhs.ttf font that we use due to its comprehensive UTF8 support, I'm getting XSRF validation error: quote Your request could not be processed because a required security token was not present in the request. You may need to re-submit the form or reload the page. quote I tried...

0.2AI score
Exploits0
Atlassian
Atlassian
added 2009/08/12 4:55 a.m.15 views

XSS bug when unfavouriting a dashboard

When unfavouriting a dashboard with name 'alert'blah';' the javascript is executed. https://extranet.atlassian.com/display/QA/JIRA+Dashboards+Blitz+-+Mark%27s+Findings...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/06/26 2:5 a.m.15 views

XSS in PDF screen

The "PDF Export Stylesheet" field is not encoded...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/06/03 7:28 a.m.15 views

XSS vulnerability when moving page between spaces

You can create a space with HTML in the name. In most places this space name is correctly encoded however in the tree component given when you chose to move a page the destination space is name is not encoded properly. To reproduce. 1 Create a space called alert"Howdy"; 2 Create a page in another...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/04/21 1:39 p.m.15 views

Issue attachments, need a functionality of Security Schemes

In our JIRA instance both customers and developers have access to issues. We would like to have a security scheme functionality in connection to issue's attachments. In other words, we would like to attach a documentation which would not be visible to customers or other groups of JIRA users...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/11/14 12:59 a.m.15 views

Attachment list in popup doesn't escape filenames causing XSS hole

The filenames in the attachment list of the link popup aren't being escaped. If you upload an attachment with a filename including html it could be executed...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/10/03 8:58 p.m.15 views

Restrict anonymous users from viewing user profiles.

Even if I start Confluence with -Dconfluence.disable.peopledirectory.anonymous=true, it is still possible to browse individual users by visiting a URL like https://wikiBaseUrl/display/accountName. This is a major security problem for us because it exposes: 1. The user's name 2. The user's ID 3. T...

1.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/10/01 10:56 p.m.15 views

Restrict access to page history to certain users (or groups)

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-13247. panel A customer requested for a new feature to restrict access to page history only to a particular group or certain use...

1.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/07/12 2:44 p.m.15 views

Confluence breaks SSO integration (PATCH)

A long time ago when I wrote our authenticator for wikis.sun.com, I noticed that under some circumstances our SSO server didn't redirect back to wikis.sun.com correctly. It redirected to a confluence URI without specifying the host and the domain, which resulted in the browser ending up on our SS...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/07/03 4:7 p.m.15 views

Do not release details about securrity vulnerabilities until after the fix was available for a reasonable period of time

It is an unfortunate practice at Atlassian to as a part of release notes release all the information, often including example exploits|http://jira.atlassian.com/browse/CONF-9350, about security vulnerabilities that were fixed in the version being released. This gives us great headaches because: w...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/11 4:8 a.m.15 views

username not validated in add user to favourites action

Entering a bogus username here has the unwanted side effect of adding a bogus entity to your user favourites that can't be removed...

1.6AI score
Exploits0
Atlassian
Atlassian
added 2008/02/19 3:16 p.m.15 views

ClassCastException reported when stopping JIRA

When stopping tomcat wich hosts only Jira, there is always such stack trace in tomcat logs: code 2008-02-18 19:25:32,767: ERROR Thread-33 - org.apache.catalina.core.ContainerBase.Catalina.localhost./jira.release - ApplicationFilterConfig.doAsPrivilege java.lang.ClassCastException:...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/02/19 3:16 p.m.15 views

ClassCastException reported when stopping JIRA

When stopping tomcat wich hosts only Jira, there is always such stack trace in tomcat logs: code 2008-02-18 19:25:32,767: ERROR Thread-33 - org.apache.catalina.core.ContainerBase.Catalina.localhost./jira.release - ApplicationFilterConfig.doAsPrivilege java.lang.ClassCastException:...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/02/07 6:4 a.m.15 views

Trusted authentication doesn't work for Confluence users with uppercase usernames

Trying to use the trusted authentication feature of the Jiraissues macro doesn't work when a user's username is uppercase. JIRA shows the following in its log: quote 2008-01-23 13:59:48,104 INFO STDOUT 2008-01-23 13:59:48,104 ajp-0.0.0.0-6103-8 WARN atlassian.seraph.filter.TrustedApplicationsFilt...

2.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/09/25 9:12 p.m.15 views

Cross-site scripting vulnerability in 500page.jsp

The test successfully embedded a script in the response, which will be executed once the page is loaded in the user's browser. This means that the application is vulnerable to the Cross-Site Scripting attack. The file 500page.jsp should escape the attributes and parameters to prevent code...

1.3AI score
Exploits0
Total number of security vulnerabilities4295