Lucene search
K
AtlassianRecent

4295 matches found

Atlassian
Atlassian
added 2018/10/23 12:24 a.m.616 views

Open redirect in many resources - CVE-2018-13402

Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before versio...

6.1CVSS4.6AI score0.01363EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/10/23 12:24 a.m.34 views

Open redirect in many resources - CVE-2018-13402

Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before versio...

6.1CVSS4.6AI score0.01363EPSS
Exploits0
Atlassian
Atlassian
added 2018/10/23 12:13 a.m.616 views

Open redirect in the XsrfErrorAction resource - CVE-2018-13401

The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0...

6.1CVSS4.3AI score0.01363EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/10/23 12:13 a.m.27 views

Open redirect in the XsrfErrorAction resource - CVE-2018-13401

The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0...

6.1CVSS4.3AI score0.01363EPSS
Exploits0
Atlassian
Atlassian
added 2018/10/22 11:33 p.m.583 views

Several administrative resources missing WebSudo (improper access control vulnerability) - CVE-2018-13400

Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version...

6.5CVSS4.1AI score0.01436EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/10/22 11:33 p.m.31 views

Several administrative resources missing WebSudo (improper access control vulnerability) - CVE-2018-13400

Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version...

6.5CVSS4.1AI score0.01436EPSS
Exploits0
Atlassian
Atlassian
added 2018/10/12 1:31 a.m.559 views

XSS in labels widget

If a user can control the content returned by code/rest/dashboards/1.0//gadget/10100/prefscode they can update the searchUrl field to execute a stored XSS. Here are the steps to reproduce: Upload an attachment to a ticket with the following content:...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/10/12 1:30 a.m.545 views

XSS in labels widget

If a user can control the content returned by code/rest/dashboards/1.0//gadget/10100/prefscode they can update the searchUrl field to execute a stored XSS. Here are the steps to reproduce: Upload an attachment to a ticket with the following content:...

7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/10/10 9:22 a.m.174 views

Update Tomcat to 8.5.34 to avoid CVE-2018-11784

h4. Open redirect in default servlet CVE-2018-11784|https://access.redhat.com/security/cve/cve-2018-11784 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory e.g. redirecting to '/foo/' when the user...

4.3CVSS3.6AI score0.94494EPSS
Exploits3Affected Software1
Atlassian
Atlassian
added 2018/10/10 9:22 a.m.49 views

Update Tomcat to 8.5.34 to avoid CVE-2018-11784

h4. Open redirect in default servlet CVE-2018-11784|https://access.redhat.com/security/cve/cve-2018-11784 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory e.g. redirecting to '/foo/' when the user...

4.3CVSS3.6AI score0.94494EPSS
Exploits3
Atlassian
Atlassian
added 2018/10/08 4:37 p.m.552 views

Upgrade Tomcat to the version 8.5.32

h4. Problem Current version of Tomcat 8.5.6 bundled with JIRA pre 7.12.1 is vulnerable to https://tomcat.apache.org/security-8.htmlFixedinApacheTomcat8.5.9...

1.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/10/08 4:37 p.m.22 views

Upgrade Tomcat to the version 8.5.32

h4. Problem Current version of Tomcat 8.5.6 bundled with JIRA pre 7.12.1 is vulnerable to https://tomcat.apache.org/security-8.htmlFixedinApacheTomcat8.5.9...

1.5AI score
Exploits0
Atlassian
Atlassian
added 2018/09/21 10:27 a.m.531 views

Deprecate support for authenticating using os_username, os_password as url query parameters

h4. Problem Support for using osusername and ospassword to authenticate when used as url query parameters has been deprecated in Jira 8.0.0. It is possible to disable support for osusername & ospassword as url query parameters for authentication by setting allowUrlParameterValue to false in...

3.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/09/21 10:27 a.m.24 views

Deprecate support for authenticating using os_username, os_password as url query parameters

h4. Problem Support for using osusername and ospassword to authenticate when used as url query parameters has been deprecated in Jira 8.0.0. It is possible to disable support for osusername & ospassword as url query parameters for authentication by setting allowUrlParameterValue to false in...

3.7AI score
Exploits0
Atlassian
Atlassian
added 2018/09/17 12:47 p.m.30 views

The administrative smart-commits resource was vulnerable to Cross-site request forgery (CSRF) - CVE-2018-13398

The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery CSRF vulnerability...

6.5CVSS6AI score0.00534EPSS
Exploits0
Atlassian
Atlassian
added 2018/09/17 12:47 p.m.533 views

The administrative smart-commits resource was vulnerable to Cross-site request forgery (CSRF) - CVE-2018-13398

The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery CSRF vulnerability...

6.5CVSS6AI score0.00534EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/09/17 12:39 p.m.530 views

The administrative smart-commits resource was vulnerable to Cross-site request forgery (CSRF) - CVE-2018-13398

The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery CSRF vulnerability...

6.5CVSS6AI score0.00534EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/09/17 12:39 p.m.34 views

The administrative smart-commits resource was vulnerable to Cross-site request forgery (CSRF) - CVE-2018-13398

The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery CSRF vulnerability...

6.5CVSS6AI score0.00534EPSS
Exploits0
Atlassian
Atlassian
added 2018/08/28 4:38 a.m.522 views

Remote Code Execution in Sourcetree for Windows, via Mercurial repo with Git subrepo - CVE-2018-13397

There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to ga...

9CVSS5.9AI score0.02112EPSS
Exploits1Affected Software1
Atlassian
Atlassian
added 2018/08/28 4:38 a.m.39 views

Remote Code Execution in Sourcetree for Windows, via Mercurial repo with Git subrepo - CVE-2018-13397

There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to ga...

9CVSS5.9AI score0.02112EPSS
Exploits1
Atlassian
Atlassian
added 2018/08/27 6:17 a.m.568 views

XSS in various resources when moving issues through the Epic Colour field of an issue - CVE-2018-13395

Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML ...

6.1CVSS3.1AI score0.01008EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/08/27 6:17 a.m.32 views

XSS in various resources when moving issues through the Epic Colour field of an issue - CVE-2018-13395

Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML ...

6.1CVSS3.1AI score0.01008EPSS
Exploits0
Atlassian
Atlassian
added 2018/08/15 1:1 a.m.571 views

The acceptAnswer resource of Confluence Questions was vulnerable to CSRF - CVE-2018-13394

The acceptAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to make a user accept an answer via a Cross-site request forgery CSRF vulnerability...

6.5CVSS6AI score0.00841EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/08/15 1:1 a.m.33 views

The acceptAnswer resource of Confluence Questions was vulnerable to CSRF - CVE-2018-13394

The acceptAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to make a user accept an answer via a Cross-site request forgery CSRF vulnerability...

6.5CVSS6AI score0.00841EPSS
Exploits0
Atlassian
Atlassian
added 2018/08/15 12:44 a.m.32 views

The convertCommentToAnswer resource of Confluence Questions was vulnerable to CSRF - CVE-2018-13393

The convertCommentToAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to make a user modify a comment into an answer via a Cross-site request forge...

6.5CVSS5.9AI score0.008EPSS
Exploits0
Atlassian
Atlassian
added 2018/08/15 12:44 a.m.590 views

The convertCommentToAnswer resource of Confluence Questions was vulnerable to CSRF - CVE-2018-13393

The convertCommentToAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to make a user modify a comment into an answer via a Cross-site request forge...

6.5CVSS5.9AI score0.008EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/08/10 3:58 a.m.578 views

Issue reporter and assignee user email addresses were disclosed regardless of the email visibility setting - CVE-2018-13391

The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote...

5.3CVSS2.3AI score0.01796EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/08/10 3:58 a.m.36 views

Issue reporter and assignee user email addresses were disclosed regardless of the email visibility setting - CVE-2018-13391

The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote...

5.3CVSS2.3AI score0.01796EPSS
Exploits0
Atlassian
Atlassian
added 2018/08/08 9:49 p.m.22 views

Request for Marketplace add-on email notifications can be sent to inactive accounts

h4. Summary Users can navigate to the Atlassian Marketplace within Jira and request add-ons to be installed. This will send all groups defined under the Jira Administrators global permission an email notification indicating a particular user has requested a particular add-on. We have observed the...

3.5AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/08/07 4:20 a.m.83 views

The bundled Atlassian Universal Plugin Manager plugin had a XXE issue - CVE-2018-20233

The version of the bundled Atlassian Universal Plugin Manager plugin had a XML External Entity vulnerability that allowed remote attackers with system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in t...

6.5CVSS3.7AI score0.01818EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/08/07 4:20 a.m.32 views

The bundled Atlassian Universal Plugin Manager plugin had a XXE issue - CVE-2018-20233

The version of the bundled Atlassian Universal Plugin Manager plugin had a XML External Entity vulnerability that allowed remote attackers with system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in t...

6.5CVSS3.7AI score0.01818EPSS
Exploits0
Atlassian
Atlassian
added 2018/08/07 4:20 a.m.66 views

The bundled Atlassian Universal Plugin Manager plugin had a XXE issue - CVE-2018-20233

The version of the bundled Atlassian Universal Plugin Manager plugin had a XML External Entity vulnerability that allowed remote attackers with system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in t...

6.5CVSS3.7AI score0.01818EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/08/07 4:20 a.m.29 views

The bundled Atlassian Universal Plugin Manager plugin had a XXE issue - CVE-2018-20233

The version of the bundled Atlassian Universal Plugin Manager plugin had a XML External Entity vulnerability that allowed remote attackers with system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in t...

6.5CVSS3.7AI score0.01818EPSS
Exploits0
Atlassian
Atlassian
added 2018/08/01 9:33 a.m.624 views

Upgrade to Tomcat 8.5.32 necessary

There are new vulnerabilities reported by apache: http://mail-archives.us.apache.org/modmbox/www-announce/201807.mbox/%3C20180722090435.GA60759%40minotaur.apache.org%3E http://mail-archives.us.apache.org/modmbox/www-announce/201807.mbox/%3C20180722090623.GA92700%40minotaur.apache.org%3E It is...

7.5CVSS1.6AI score0.94494EPSS
Exploits3Affected Software1
Atlassian
Atlassian
added 2018/07/30 6:1 a.m.526 views

SSRF/XSPA in ImporterSetupPage

h2. A security bug has been found in Jira Server. Administrator users can test local IP addresses/ports and determine whether they're open or closed. To reproduce: h2. Initial setup - Download https://www.atlassian.com/software/jira/download, install, and start up Jira Software Server. Note: I...

7.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/07/18 5:49 a.m.601 views

The bundled atlassian-http library had a content spoofing issue - CVE-2017-18103

The version of the bundled atlassian-http library was vulnerable to content-spoofing. See https://jira.atlassian.com/browse/HTTP-3 for more details...

4.7CVSS1.6AI score0.00826EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/07/18 5:49 a.m.33 views

The bundled atlassian-http library had a content spoofing issue - CVE-2017-18103

The version of the bundled atlassian-http library was vulnerable to content-spoofing. See https://jira.atlassian.com/browse/HTTP-3 for more details...

4.7CVSS5.2AI score0.00826EPSS
Exploits0
Atlassian
Atlassian
added 2018/07/13 4:58 p.m.558 views

XSS Vulnerability in Code Block Macro

h3. Summary There appears to be an XSS vulnerability when using the powershell syntax from within the Confluence Code Block Macro h3. Environment Confluence 6.6.6 h3. Steps to Reproduce Create a test page add macros code block select language=powershell enter...

0.6AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/07/12 9:35 a.m.50 views

Non Calendar Creator can see the Username and Password Fields to a Calendar subscribed from URL

h3. Summary Non Calendar Creator can see the Username and Password Fields to a Calendar subscribed from URL h3. Environment Confluence 6.7.2 Team Calendar 6.0.17 h3. Steps to Reproduce Login as UserA Calendar Creator Create a new Calendar with the Subscribe by URL option Subscribe to any external...

6.9AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/07/09 8:17 a.m.541 views

Opening embedded SVG file in comment on customer portal makes JIRA run added JavaScript code

h3. Summary Opening embedded SVG file in comment on customer portal makes JIRA run added JavaScript code h3. Steps to Reproduce Log in to customer portal and create a new request Attach new SVG file which contains JavaScript code filename: smiley-test.svg: !screenshot-1.png|thumbnail! After the...

7.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/06/29 9:11 p.m.510 views

Upgrade to version 3.2.2 of apache commons-collections

h3. Summary Similar to the issue described in CONFSERVER-40130, Synchrony Proxy is still using the old commons-collections library which allows for remote code execution. We can see this by looking at the following directories: code:java...

4.7AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/06/29 9:11 p.m.25 views

Upgrade to version 3.2.2 of apache commons-collections

h3. Summary Similar to the issue described in CONFSERVER-40130, Synchrony Proxy is still using the old commons-collections library which allows for remote code execution. We can see this by looking at the following directories: code:java...

4.7AI score
Exploits0
Atlassian
Atlassian
added 2018/06/28 3:20 a.m.540 views

XSS in IncomingMailServer resource - CVE-2018-13387

The IncomingMailServers resource in Atlassian JIRA Server before version 7.6.7, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3 and from version 7.10.0 before version 7.10.2 allows remote attackers to inject arbitrary HTML ...

6.1CVSS3.4AI score0.0145EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/06/28 3:20 a.m.31 views

XSS in IncomingMailServer resource - CVE-2018-13387

The IncomingMailServers resource in Atlassian JIRA Server before version 7.6.7, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3 and from version 7.10.0 before version 7.10.2 allows remote attackers to inject arbitrary HTML ...

6.1CVSS5.7AI score0.0145EPSS
Exploits0
Atlassian
Atlassian
added 2018/06/28 12:36 a.m.566 views

Path traversal Vulnerability in the review attachment resource - CVE-2017-16859

The review attachment resource in Atlassian Fisheye and Crucible before version 4.3.2, from version 4.4.0 before 4.4.3 and before version 4.5.0 allows remote attackers to read files contained within context path of the running application through a path traversal vulnerability in the command...

6.5CVSS5.1AI score0.02525EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/06/28 12:36 a.m.38 views

Path traversal Vulnerability in the review attachment resource - CVE-2017-16859

The review attachment resource in Atlassian Fisheye and Crucible before version 4.3.2, from version 4.4.0 before 4.4.3 and before version 4.5.0 allows remote attackers to read files contained within context path of the running application through a path traversal vulnerability in the command...

6.5CVSS5.1AI score0.02525EPSS
Exploits0
Atlassian
Atlassian
added 2018/06/28 12:30 a.m.33 views

Path traversal Vulnerability in the review attachment resource - CVE-2017-16859

The review attachment resource in Atlassian Fisheye and Crucible before version 4.3.2, from version 4.4.0 before 4.4.3 and before version 4.5.0 allows remote attackers to read files contained within context path of the running application through a path traversal vulnerability in the command...

6.5CVSS5.1AI score0.02525EPSS
Exploits0
Atlassian
Atlassian
added 2018/06/28 12:30 a.m.607 views

Path traversal Vulnerability in the review attachment resource - CVE-2017-16859

The review attachment resource in Atlassian Fisheye and Crucible before version 4.3.2, from version 4.4.0 before 4.4.3 and before version 4.5.0 allows remote attackers to read files contained within context path of the running application through a path traversal vulnerability in the command...

6.5CVSS5.1AI score0.02525EPSS
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/06/22 2:31 p.m.1202 views

SSRF via REST API /plugins/servlet/gadgets/makeRequest

Confluence installations have permissive whitelist that allows to fetch any URL using confluence like as the proxy. Use GET request GET /plugins/servlet/gadgets/makeRequest?url= Example: to get Yandex start page or any resource you want. code:java GET...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2018/06/22 2:31 p.m.24 views

SSRF via REST API /plugins/servlet/gadgets/makeRequest

Confluence installations have permissive whitelist that allows to fetch any URL using confluence like as the proxy. Use GET request GET /plugins/servlet/gadgets/makeRequest?url= Example: to get Yandex start page or any resource you want. code:java GET...

0.3AI score
Exploits0
Total number of security vulnerabilities4295