4195 matches found
Resource file path traversal in WebImagesDownloadResourceManager
To reproduce: 1. Create a new page named foo any name can be used, but it must match the markup in step 3 2. In the editor, create an unmigrated-wiki-markup macro by typing "\a" don't copy/paste 3. Replace the "\a" in the macro with: code:none foo|foo|" code 4. Save the page. 5. Export to word...
Resource file path traversal in WebImagesDownloadResourceManager
To reproduce: 1. Create a new page named foo any name can be used, but it must match the markup in step 3 2. In the editor, create an unmigrated-wiki-markup macro by typing "\a" don't copy/paste 3. Replace the "\a" in the macro with: code:none foo|foo|" code 4. Save the page. 5. Export to word...
Resource file path traversal in WebImagesDownloadResourceManager
To reproduce: 1. Create a new page named foo any name can be used, but it must match the markup in step 3 2. In the editor, create an unmigrated-wiki-markup macro by typing "\a" don't copy/paste 3. Replace the "\a" in the macro with: code:none foo|foo|" code 4. Save the page. 5. Export to word...
Resource file path traversal in IconDownloadResourceManager
To reproduce: 1. Create a new page title doesn't matter. 2. Insert an image with URL: code:none /confluence/images/icons/profilepics/../../../WEB-INF/classes/crowd.properties code with /confluence/ replaced with the correct base path. Edit the page, click +, click Image, select the From the Web...
Resource file path traversal in IconDownloadResourceManager
To reproduce: 1. Create a new page title doesn't matter. 2. Insert an image with URL: code:none /confluence/images/icons/profilepics/../../../WEB-INF/classes/crowd.properties code with /confluence/ replaced with the correct base path. Edit the page, click +, click Image, select the From the Web...
Resource file path traversal in IconDownloadResourceManager
To reproduce: 1. Create a new page title doesn't matter. 2. Insert an image with URL: code:none /confluence/images/icons/profilepics/../../../WEB-INF/classes/crowd.properties code with /confluence/ replaced with the correct base path. Edit the page, click +, click Image, select the From the Web...
Arbitrary file or URL download in ExportWordPageServer
To reproduce: 1. Create a new page. 2. Insert an image with URL: code:none file:///etc/passwd code Edit the page, click +, click Image, select the From the Web tab, enter the file: URL shown above, click Insert, click Save. The image appears invisible on some browsers, but you can verify its...
Arbitrary file or URL download in ExportWordPageServer
To reproduce: 1. Create a new page. 2. Insert an image with URL: code:none file:///etc/passwd code Edit the page, click +, click Image, select the From the Web tab, enter the file: URL shown above, click Insert, click Save. The image appears invisible on some browsers, but you can verify its...
Arbitrary file or URL download in ExportWordPageServer
To reproduce: 1. Create a new page. 2. Insert an image with URL: code:none file:///etc/passwd code Edit the page, click +, click Image, select the From the Web tab, enter the file: URL shown above, click Insert, click Save. The image appears invisible on some browsers, but you can verify its...
getRedirect in JiraWebActionSupport redirects to unsafe URLs by default
In jira-components/jira-api/src/main/java/com/atlassian/jira/web/action/JiraWebActionSupport.java the following code is found: code:java / Redirects to the value of @code getReturnUrl, falling back to @code defaultUrl if the @code returnUrl is not set. This method clears the @code returnUrl. If...
getRedirect in JiraWebActionSupport redirects to unsafe URLs by default
In jira-components/jira-api/src/main/java/com/atlassian/jira/web/action/JiraWebActionSupport.java the following code is found: code:java / Redirects to the value of @code getReturnUrl, falling back to @code defaultUrl if the @code returnUrl is not set. This method clears the @code returnUrl. If...
getRedirect in JiraWebActionSupport redirects to unsafe URLs by default
In jira-components/jira-api/src/main/java/com/atlassian/jira/web/action/JiraWebActionSupport.java the following code is found: code:java / Redirects to the value of @code getReturnUrl, falling back to @code defaultUrl if the @code returnUrl is not set. This method clears the @code returnUrl. If...
disable XSRF check property has no effect on REST API
When disable the xsrf through the property in jira.xsrf.enabled=false in jira-config.properties according to the page|https://developer.atlassian.com/display/JIRADEV/Form+Token+Handling, it doesn't stop the xsrf checking when using JIRA REST API. However, the property took effect when you try som...
disable XSRF check property has no effect on REST API
When disable the xsrf through the property in jira.xsrf.enabled=false in jira-config.properties according to the page|https://developer.atlassian.com/display/JIRADEV/Form+Token+Handling, it doesn't stop the xsrf checking when using JIRA REST API. However, the property took effect when you try som...
disable XSRF check property has no effect on REST API
When disable the xsrf through the property in jira.xsrf.enabled=false in jira-config.properties according to the page|https://developer.atlassian.com/display/JIRADEV/Form+Token+Handling, it doesn't stop the xsrf checking when using JIRA REST API. However, the property took effect when you try som...
Arbitrary file creation in AbstractRendererExporterImpl
To reproduce: 1. Create a new space. 2. Create a new page. 3. Attach a file called test.txt to the page. 3. Edit the page, and add an image with the URL: code /confluence/s/download/attachments/pageid//../../../../../../../../../../../../tmp/test.txt code \pageid\ must be replaced with the actual...
Arbitrary file creation in AbstractRendererExporterImpl
To reproduce: 1. Create a new space. 2. Create a new page. 3. Attach a file called test.txt to the page. 3. Edit the page, and add an image with the URL: code /confluence/s/download/attachments/pageid//../../../../../../../../../../../../tmp/test.txt code \pageid\ must be replaced with the actual...
Arbitrary file creation in AbstractRendererExporterImpl
To reproduce: 1. Create a new space. 2. Create a new page. 3. Attach a file called test.txt to the page. 3. Edit the page, and add an image with the URL: code /confluence/s/download/attachments/pageid//../../../../../../../../../../../../tmp/test.txt code \pageid\ must be replaced with the actual...
Moving pages around spaces using HTTP get without XSRF token
Seems like you can easily move pages around spaces by just hitting the movepage action using GET, like this: http://localhost:8080/confluence/pages/movepage.action?pageId=787055&position=topLevel&spaceKey=S2 Malicious example of how to exploit this in an email message: after opening the email, th...
Moving pages around spaces using HTTP get without XSRF token
Seems like you can easily move pages around spaces by just hitting the movepage action using GET, like this: http://localhost:8080/confluence/pages/movepage.action?pageId=787055&position=topLevel&spaceKey=S2 Malicious example of how to exploit this in an email message: after opening the email, th...
Moving pages around spaces using HTTP get without XSRF token
Seems like you can easily move pages around spaces by just hitting the movepage action using GET, like this: http://localhost:8080/confluence/pages/movepage.action?pageId=787055&position=topLevel&spaceKey=S2 Malicious example of how to exploit this in an email message: after opening the email, th...
"Contact Administrators" Process Doesn't Exclude Disabled Administrators
h3. Steps to Reproduce: Create a new test user Add the newly created user into confluence-administrators group Disabled the new test user Access the following URL code/500page.jspcode Click the "Confluence Administrators" link which will redirect you to this URL...
"Contact Administrators" Process Doesn't Exclude Disabled Administrators
h3. Steps to Reproduce: Create a new test user Add the newly created user into confluence-administrators group Disabled the new test user Access the following URL code/500page.jspcode Click the "Confluence Administrators" link which will redirect you to this URL...
"Contact Administrators" Process Doesn't Exclude Disabled Administrators
h3. Steps to Reproduce: Create a new test user Add the newly created user into confluence-administrators group Disabled the new test user Access the following URL code/500page.jspcode Click the "Confluence Administrators" link which will redirect you to this URL...
XSS vulnerability in the Office Powerpoint macro (Office Connector)
To reproduce: 1. Attach a ".ppt" file to the page. any file with that extension - doesn't need to be a powerpoint file 2. Add "Office Powerpoint" macro with Slide Number as: code "alertdocument.domain code 3. View page. See officeconnector, PptConverter.java, line...
XSS vulnerability in the Office Powerpoint macro (Office Connector)
To reproduce: 1. Attach a ".ppt" file to the page. any file with that extension - doesn't need to be a powerpoint file 2. Add "Office Powerpoint" macro with Slide Number as: code "alertdocument.domain code 3. View page. See officeconnector, PptConverter.java, line...
XSS vulnerability in the Office Powerpoint macro (Office Connector)
To reproduce: 1. Attach a ".ppt" file to the page. any file with that extension - doesn't need to be a powerpoint file 2. Add "Office Powerpoint" macro with Slide Number as: code "alertdocument.domain code 3. View page. See officeconnector, PptConverter.java, line...
'self' xss reported in a question's moderate
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-47423. panel We have received an external report of a dom xss in the moderation code for a question on answers.atlassian.com...
'self' xss reported in a question's moderate
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47423. panel We have received an external report of a dom xss in the moderation code for a question on answers.atlassian.com...
'self' xss reported in a question's moderate
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47423. panel We have received an external report of a dom xss in the moderation code for a question on answers.atlassian.com...
'self' xss reported in a question's moderate
We have received an external report of a dom xss in the moderation code for a question on answers.atlassian.com. quote 1 DOM XSS Go to https://answers.atlassian.com/ Prepare an question ,after savin it go to the question ,there is an option of "Moderate" ,click it ,there is an option to "Create...
/rest/menu/1.0/appswitcher displays data unauthenticated
"Calling" this function returns data without any authentication required: noformat curl https://support.atlassian.com/rest/menu/latest/appswitcher | python -mjson.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 787 0 787 0 0 531 0...
/rest/menu/1.0/appswitcher displays data unauthenticated
"Calling" this function returns data without any authentication required: noformat curl https://support.atlassian.com/rest/menu/latest/appswitcher | python -mjson.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 787 0 787 0 0 531 0...
/rest/menu/1.0/appswitcher displays data unauthenticated
"Calling" this function returns data without any authentication required: noformat curl https://support.atlassian.com/rest/menu/latest/appswitcher | python -mjson.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 787 0 787 0 0 531 0...
CSRF in gadgets plugin
The affected methods are: AddOrRemoveGadgetSpecAction, doAdd AddOrRemoveGadgetSpecAction, doRemove AddOrRemoveGadgetFeedAction, doAddGadgetFeed AddOrRemoveGadgetFeedAction, doRemoveGadgetFeed WhitelistAdminAction, doAddWhitelistUrl WhitelistAdminAction, doRemoveWhitelistUrl RevokeOAuthTokensActio...
CSRF in gadgets plugin
The affected methods are: AddOrRemoveGadgetSpecAction, doAdd AddOrRemoveGadgetSpecAction, doRemove AddOrRemoveGadgetFeedAction, doAddGadgetFeed AddOrRemoveGadgetFeedAction, doRemoveGadgetFeed WhitelistAdminAction, doAddWhitelistUrl WhitelistAdminAction, doRemoveWhitelistUrl RevokeOAuthTokensActio...
CSRF in doremoveblogpost.action
Any page can be deleted if a user with sufficient privileges to delete the page clicks an attacker controlled link, or views an image at an attack controller URL. /pages/doremoveblogpost.action?pageId=...
CSRF in doremoveblogpost.action
Any page can be deleted if a user with sufficient privileges to delete the page clicks an attacker controlled link, or views an image at an attack controller URL. /pages/doremoveblogpost.action?pageId=...
Make custom field description and options rendering consistent for OnDemand and BTF
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-34440. panel JIRA has different behaviour for how it renders custom field descriptions and options depending on if it's running BTF or on...
Make custom field description and options rendering consistent for OnDemand and BTF
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-34440. panel JIRA has different behaviour for how it renders custom field descriptions and options depending on if it's running BTF or on...
Make custom field description and options rendering consistent for OnDemand and BTF
JIRA has different behaviour for how it renders custom field descriptions and options depending on if it's running BTF or on OnDemand. On OnDemand, custom field descriptions are wiki markup, but on BTF they're HTML. On OnDemand, custom field options e.g. for checkbox are plain text, but on BTF...
Regression - "Browse Project" permission for "Reporter" grants users to see projects they are not permitted to.
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-34389. panel Regression of JRA-4935 When i add the "Reporter" to the "Browse Project" Permission of one project. This project instantly becom...
Regression - "Browse Project" permission for "Reporter" grants users to see projects they are not permitted to.
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report|http://jira.atlassian.com/browse/JRASERVER-34389. panel panel:title=Status Update|borderStyle=solid|borderColor=ff7f7f|titleBGColor=ff7f7f|bgColor=e5e5e5 Hi everyone, We have reviewed...
Regression - "Browse Project" permission for "Reporter" grants users to see projects they are not permitted to.
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-34389. panel Regression of JRA-4935 When i add the "Reporter" to the "Browse Project" Permission of one project. This project instantly becom...
Regression - "Browse Project" permission for "Reporter" grants users to see projects they are not permitted to.
Regression of JRA-4935 When i add the "Reporter" to the "Browse Project" Permission of one project. This project instantly becomes visible to ALL usersvia the project table portlet, if they have any kind of permission to see this project or not. So all users can see this project, but can't see an...
Convert the SecurityHeadersInterceptor into a filter that applies to /*
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-30356. panel The X-XSS-Protection HTTP header should be sent on all responses with a value of "1; mode=block". As the current...
Convert the SecurityHeadersInterceptor into a filter that applies to /*
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-30356. panel The X-XSS-Protection HTTP header should be sent on all responses with a value of "1; mode=block". As the current...
Convert the SecurityHeadersInterceptor into a filter that applies to /*
The X-XSS-Protection HTTP header should be sent on all responses with a value of "1; mode=block". As the current implementation is done in an interceptor0 it is possible for some resources to be sent without the X-XSS-Protection header. 0 SecurityHeadersInterceptor is in the default interceptor...
Reflected XSS in 'where' param of doSearchSite
Olivier Beg reported quote noformathttps://confluence.atlassian.com/dosearchsite.action?queryString=%22%3E&startIndex=0&lastModified=LASTWEEK&where=confall%22%3E%3Cimg%20src=x%20onerror=alert1%3Enoformat I asume he is DOM based because he works in google chrome. quote This results in code:html co...
Reflected XSS in 'where' param of doSearchSite
Olivier Beg reported quote noformathttps://confluence.atlassian.com/dosearchsite.action?queryString=%22%3E&startIndex=0&lastModified=LASTWEEK&where=confall%22%3E%3Cimg%20src=x%20onerror=alert1%3Enoformat I asume he is DOM based because he works in google chrome. quote This results in code:html co...