Lucene search
K
AtlassianMost viewed

4295 matches found

Atlassian
Atlassian
added 2012/05/24 12:15 p.m.14 views

User can upload attachments to restricted pages that adopt restrictions from parent page

Users that should have no access to restricted pages that adopt restrictions from the parent page are able to upload attachments if they know the page ID. How to reproduce: 1. Create 2 users, user1 and user2 2. Create a page with user1 and set the page view and edit restrictions to "Me" 3. Create...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2012/04/11 4:24 p.m.14 views

deletion of a comment with a security setting sends a notification to all watchers and the history tab

As a non-atlassian developer, I saw a deletion notification for a comment that I was restricted from viewing. That seems like a security leak. It would be annoying if we're trying to hide discussion from certain users for them to see that the discussion is happening at all, it would raise questio...

0.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/07/22 4:46 a.m.14 views

Enable X-FRAME-Options header to implement clickjacking protection

TLDR: Add X-FRAME-Options: SAMEORIGIN to all HTTPS pages server config, and test that nothing breaks. --- Description: Current HTTP headers do not contain the X-FRAME-Option, which helps prevents against Clickjacking attacks. A Clickjacking attack is similar to CSRF in which attacker can hijack a...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2011/06/10 5:28 p.m.14 views

Make captcha harder, or allow configuration of captcha difficulty, in order to prevent sophisticated spam attacks

Every day we get a load of automated anonymous comment spam on our confluence pages. It seems that the captcha is too easy. Please can you implement an easily configurable mechanism for making captchas that are harder for spam bots...

2.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/08/25 2:4 a.m.14 views

XSRF vulnerability in the Mail Page plugin

We have identified and fixed a cross-site request forgery XSRF vulnerability which may affect Confluence instances in a public environment. The XSRF vulnerability is exposed in the Confluence Mail Page plugin. Note that the Mail Page plugin is disabled by default. If you do not have this plugin...

6.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/08/25 1:39 a.m.14 views

Path traversal vulnerability in various Confluence actions

We have identified and fixed a path traversal vulnerability in various Confluence actions. By exploiting a path traversal vulnerability, attackers can retrieve any file on the server that is running Confluence, based on the permissions of the user under which Confluence is running. Path traversal...

1.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/06/17 8:46 a.m.14 views

Can not UPDATE the "Viewable By" field of an issue

After the creation of an issue it is by default viewable by "All Users". It is not possible to change the value after re-editing that issue. After changing it and clicking the "Update" button, the viewable by entry stays "All Users"...

3.9AI score
Exploits0
Atlassian
Atlassian
added 2010/02/26 5:40 a.m.14 views

A link to Re-Indexing is visible to users even if they are not sys admin

I saw this on EACJ where I am not a sys admin quote XXXX made configuration changes in section 'Custom Fields' at 01/Feb/10 1:16 PM. It is recommended that you perform a re-index. For more information, please click the Help icon. To perform the re-index now, please go to the 'Indexing' section...

1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2010/01/14 8:33 p.m.14 views

CAPTCHA Option Should Exist for The Password Reset Form

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-20150. panel The password reset prompt allows an individual to reset any user's password. My company uses a standard employee id to use for...

0.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/07/24 5:42 a.m.14 views

Warn about assigning "Anyone" group in Global and Project permissions

Assigning anyone to global permissions such as a "Browse user" is a sure way to shoot yourself in the foot inadvertently. We make a vague mention of it in the documentation https://confluence.atlassian.com/display/JIRA/Managing+Global+Permissions quote if you wish to grant the permission to non...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/07/01 2:36 a.m.14 views

Allow Site Admin to discover restricted pages

A customer mentioned that this functionality is important to have for automation and integration purposes. Currently confluence-administrators are not able to discover restricted pages, despite of their ability to access ie. read the page if they know the url. The customer argued that "this makes...

3.2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/05/26 1:29 a.m.14 views

XSS in concurrent edit notification

If a page is being editted by noformat alert'hacked' noformat and another user edits it at the same time, they are vulnerable to a potential XSS attack...

2.1AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/04/29 8:53 a.m.14 views

XSS vulnerability can be exploited with the viewppt macro

Upload a file test.ppt Use markup: noformatviewppt:test.ppt|height=alert"xss"|width=alert"xss"noformat The scripts will be executed when the page is loaded...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/04/21 1:28 a.m.14 views

Import Pages is not restricted to system admins

The Import pages actions is currently restricted to space admins not system admins like it should. Caused by CONF-10039...

2.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/11/07 6:43 p.m.14 views

Boolean operators on user and group management

Please consider this as a feature request for a future release of Confluence. Boolean operands on Space permissions would be awesome. E.g. setup a Space that people in the LDAP group STAFF and the LDAP group Biosciences were the only people that were able to view/edit/add/etc - otherwise I have t...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/09/04 1:18 a.m.14 views

XSS in site search action

http://confluence.atlassian.com/dosearchsite.action?where=confall&queryString=%3Cscript%3Ealert'foo';%3C/script%3E queryString needs to be escaped. This problem is fixed if they turn on Anti-XSS mode. We still need to fix this as anti-xss is not on by default...

7AI score
Exploits0
Atlassian
Atlassian
added 2008/07/03 4:7 p.m.14 views

Do not release details about securrity vulnerabilities until after the fix was available for a reasonable period of time

It is an unfortunate practice at Atlassian to as a part of release notes release all the information, often including example exploits|http://jira.atlassian.com/browse/CONF-9350, about security vulnerabilities that were fixed in the version being released. This gives us great headaches because: w...

1.8AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2008/03/13 12:20 a.m.14 views

Fix the seraph.os.cookie from failing on Tomcat by upgrading atlassian-seraph

Once SER-117 has been fixed, incorporate the changes into JIRA see the linked issue for a full description of the problem. Note that this only affects Tomcat users; Resin and Orion do not appear to be affected. User Symptoms: Users have checked the "Remember my login on this computer" checkbox al...

3.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/09/13 5:12 a.m.14 views

Multi user custom field cannot be used with the assignable user permission

If a multi user custom field is added to JIRA, and the custom field is added to the Assignable User permission, the Assign Issue operation breaks, when trying to gather the list of assignable Users. This is basically because our MultiUserCF is not specific enough and relies to much on the...

0.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2004/08/25 6:33 a.m.14 views

Enhance Seraph SSO support to create users automatically

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-4299. panel Users of SSO systems generally also have some sort of external user management. As a simple first step, JIRA's SSO authenticator...

2AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/06/03 4:30 p.m.13 views

HTTP Request Smuggling io.netty:netty-codec-http Dependency in Jira Service Management Data Center

This is a vulnerability in a non-Atlassian dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity HTTP Request Smuggling vulnerability was introduced in versions 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0,...

9.1CVSS5.3AI score0.00633EPSS
Exploits1
Atlassian
Atlassian
added 2025/12/12 7:27 a.m.13 views

Insecure Deserialization kind-of Dependency in Crowd Data Center and Server

This High severity Insecure Deserialization vulnerability was introduced in versions 2.0.1, 3.2.2, 6.3.0, 7.0.0, and 7.1.0 of Crowd Data Center and Server. This Insecure Deserialization vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N allow...

7.5CVSS5.6AI score0.02278EPSS
Exploits1
Atlassian
Atlassian
added 2025/12/04 6:44 a.m.13 views

DoS (Denial of Service) org.codehaus.jettison:jettison Dependency Vulnerability in Jira Service Management Data Center and Server

This High severity DoS Denial of Service vulnerability known as CVE-2022-4569 was introduced in 5.12.0 of Jira Service Management Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacke...

7.8CVSS7.6AI score0.00195EPSS
Exploits0
Atlassian
Atlassian
added 2025/12/02 11:27 p.m.13 views

DoS (Denial of Service) com.fasterxml.jackson.core:jackson-core Dependency Vulnerability in Crowd Data Center and Server

This High severity Improper Authorization vulnerability was introduced in version 7.1.0 of Crowd Data Center. This Improper Authorization vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N allows an unauthenticated attacker...

8.7CVSS7.3AI score0.00634EPSS
Exploits0
Atlassian
Atlassian
added 2025/12/02 9:27 p.m.13 views

DoS (Denial of Service) com.fasterxml.jackson.core:jackson-databind Dependency Vulnerability in Crowd Data Center

This High severity DoS Denial of Service vulnerability was introduced in version 7.1.0 of Crowd Data Center. This Improper Authorization vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to expose assets in...

7.5CVSS7AI score0.0486EPSS
Exploits1
Atlassian
Atlassian
added 2025/12/02 9:27 p.m.13 views

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency Vulnerability in Crowd Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. This Improper Authorization vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to expos...

7.5CVSS6.8AI score0.03389EPSS
Exploits0
Atlassian
Atlassian
added 2025/12/02 9:27 p.m.13 views

DoS (Denial of Service) io.netty:netty-codec-http2 Dependency Vulnerability in Crowd Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in version 7.1.0 of Crowd Data Center. This Improper Authorization vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N allows an unauthenticated attacker ...

8.2CVSS5.8AI score0.00979EPSS
Exploits1
Atlassian
Atlassian
added 2025/11/13 11:27 a.m.13 views

File Inclusion tar-fs Dependency in Confluence Data Center and Server

This High severity File Inclusion vulnerability known as CVE-2024-12905 was introduced in 7.19 of Confluence Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N allows an unauthenticated attacker to expose assets in...

7.5CVSS6.9AI score0.02186EPSS
Exploits2
Atlassian
Atlassian
added 2025/09/17 4:9 a.m.13 views

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency in Bamboo Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 9.6.0, 10.2.0, and 11.0.0 of Bamboo Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS6.8AI score0.03389EPSS
Exploits0
Atlassian
Atlassian
added 2025/08/13 6:8 a.m.13 views

DoS (Denial of Service) Third-Party Dependency in Bitbucket Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.19.0, 9.4.0, and 9.6.0 of Bitbucket Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS7.1AI score0.01898EPSS
Exploits0
Atlassian
Atlassian
added 2020/07/16 11:10 p.m.13 views

Browsing serverInfo anonymously gives version number information

h3. Issue Summary Browsing serverInfo anonymously gives version number information h3. Steps to Reproduce curl https:///rest/api/2/serverInfo navigate to https:///rest/api/2/serverInfo in a browser h3. Expected Results Fail to connect h3. Actual Results The below exception is thrown in the...

7AI score
Exploits0
Atlassian
Atlassian
added 2014/12/16 12:6 a.m.13 views

OGNL Double Evaluation Vulnerability

We have discovered and fixed a vulnerability in our fork of WebWork. Attackers can use this vulnerability to execute Java code of their choice on systems that use this framework. The attacker needs to be able to access the Crucible web interface. All versions of Crucible up to and including 3.6.1...

3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2013/10/01 11:7 a.m.13 views

Doconfiguretheme action accessible to non-administrative users

The doconfiguretheme action allows for configuration of the Documentation theme for Confluence. This action is defined in two namespaces, one of which is accessible by any user of Confluence including anonymous users, if anonymous use of Confluence is allowed. If this action is executed with no...

3.1AI score
Exploits0
Atlassian
Atlassian
added 2012/04/04 6:36 a.m.13 views

/secure/admin/jira/AcknowledgeTask.jspa is an open redirect

The AcknowledgeTask.jspa page found under http://$HOST/secure/admin/jira/AcknowledgeTask.jspa can be used to redirect users to another page on the internet and possibly used to create a non-persistent xss flaw. Here is an example url which will direct a user to http://google.com...

7AI score
Exploits0
Atlassian
Atlassian
added 2010/04/16 4:29 a.m.13 views

Announcement Preview banner is a vector for an XSS attack

The announcement preview banner is currently displayed via the global decorator. It can be used for an XSS attack on virtually every page, via the announcementpreviewbannerst URL parameter. We should display the preview only locally in the admin section...

2.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2009/09/09 5:2 a.m.13 views

admin gadget rest endpoint information leak

the admin rest endpoint can return admin-only information even if the end user is not an admin...

1.3AI score
Exploits0
Atlassian
Atlassian
added 2008/08/19 5:10 a.m.13 views

The TrustedApplicationsFilter doesn't work for /rpc/* URLs

The sessioninview filter doesn't cover rpc URLs I think because this meant that RPC actions didn't show up in the DB until the response what completely written This means that lazily loaded data returned by the HibernateTrustedApplicationDao causes problems when the TrustedApplicationsFilter trie...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/07/23 11:52 a.m.13 views

XSS vulnerability at "Edit Space Permissions"

Description: XSS vulnerability at "Edit Space Permissions" page Exploit: Write to the "Grant permission to" field: "alertdocument.cookie"...

1.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/06/11 5:30 p.m.12 views

SSRF (Server-Side Request Forgery) axios Dependency in Bamboo Data Center

This High severity SSRF Server-Side Request Forgery vulnerability was introduced in versions 10.0.0, 10.1.0, 10.2.0, 11.0.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This SSRF Server-Side Request Forgery vulnerability, with a CVSS Score of 8.6 and a CVSS Vector of...

8.6CVSS5.3AI score0.00921EPSS
Exploits1
Atlassian
Atlassian
added 2026/06/08 9:29 p.m.12 views

DoS (Denial of Service) @isaacs/brace-expansion Dependency in Confluence Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 10.2.7 of Confluence Data Center. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to cause a...

7.5CVSS5.4AI score0.00278EPSS
Exploits0
Atlassian
Atlassian
added 2026/06/05 10:29 p.m.12 views

XSS (Cross Site Scripting) turbo-stream Dependency in Jira Service Management Data Center

This High severity XSS Cross Site Scripting vulnerability was introduced in versions 10.3.8, 10.7.1, 11.0.0, and 11.1.0 of Jira Service Management Data Center. This XSS Cross Site Scripting vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H...

7.5CVSS5AI score0.00294EPSS
Exploits0
Atlassian
Atlassian
added 2025/12/12 7:27 a.m.12 views

DoS (Denial of Service) path-to-regexp Dependency in Jira Service Management Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in versions 10.2.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Service Management Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...

7.5CVSS8.1AI score0.00932EPSS
Exploits0
Atlassian
Atlassian
added 2025/12/03 9:13 p.m.12 views

Improper Input Validation in MSSQL JDBC driver in Crucible Server and Fisheye Server

This High severity Improper Input Validation in MSSQL driver vulnerability was introduced in version 4.9.0 of Crucible Server and Fisheye Server. This Improper Input Validation vulnerability, with a CVSS Score of 8.1, allows an unauthenticated attacker to exploit an undefinable vulnerability whic...

8.1CVSS8.7AI score0.0067EPSS
Exploits0
Atlassian
Atlassian
added 2025/12/03 3:27 p.m.12 views

DoS (Denial of Server) org.apache.struts:struts-core Dependency in Jira Service Management Data Center and Server

This High severity DoS Denial of Service vulnerability known as CVE-2016-1182 was introduced in 11.2.0 of Jira Service Management Data Center and Server. This vulnerability with a CVSS Score of 8.2 and a CVSS Vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H allows an unauthenticated attacke...

8.2CVSS7.8AI score0.25737EPSS
Exploits0
Atlassian
Atlassian
added 2025/12/03 3:27 p.m.12 views

DoS (Denial of Service) ansi-regex Dependency in Jira Service Management Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in versions 10.3.13, and 11.2.0 of Jira Service Management Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker...

7.8CVSS8AI score0.03304EPSS
Exploits1
Atlassian
Atlassian
added 2025/12/02 9:27 p.m.12 views

DoS (Denial of Service) com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. This Improper Authorization vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to expos...

7.5CVSS6.8AI score0.01124EPSS
Exploits1
Atlassian
Atlassian
added 2010/11/26 12:27 p.m.12 views

adding "Project Member" to User/Group/Projectrole options list for security level

I'm looking for a fast and easy way to handle security viewability of issues over all projects. Scenario is: We have setup the Jira company environment and several different projects. We have some external developers that are assinged to their specific projects. I did not yet use the security...

0.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2007/08/10 11:43 p.m.12 views

It is possible to see components without logging in

It is possible to see project's components without logging in by just guessing urls, e.g. jira-installation/browse/KEY/component/10881. This will show all the information written on component issues are not shown. This should be restricted so that it is impossible to see any project information...

2.4AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2026/06/04 4:30 p.m.11 views

BASM (Broken Authentication & Session Management) org.apache.tomcat:tomcat-catalina Dependency in Jira Software Data Center and Server

This is a vulnerability in a non-Atlassian dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity BASM Broken Authentication & Session Management vulnerability was introduced in versions 9.12.1, 9.16.0, 9.17.0, 10.0.1, 10.1.1,...

9.8CVSS5.3AI score0.01233EPSS
Exploits1
Atlassian
Atlassian
added 2026/06/02 4:29 p.m.11 views

Improper Authorization org.apache.tomcat:tomcat-catalina Dependency in Confluence Data Center

This is a vulnerability in a non-Atlassian Confluence dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity Improper Authorization vulnerability was introduced in versions 6.13.0, 7.4.0, 7.13.0, 7.19.0, 8.5.0, 8.9.0, 9.0.1,...

9.1CVSS5.9AI score0.01136EPSS
Exploits1
Total number of security vulnerabilities4295