Recommended updates email includes excerpts from Private/Restricted pages

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-29254. panel The recommended updates email will include pages that are restricted, so all users will see an excerpt of that pag...

Recommended updates email includes excerpts from Private/Restricted pages

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-29254. panel The recommended updates email will include pages that are restricted, so all users will see an excerpt of that page...

Recommended updates email includes excerpts from Private/Restricted pages

The recommended updates email will include pages that are restricted, so all users will see an excerpt of that page. This is a security concern as projects that are documented could contain sensitive information. Also mentioned by users in the comments at...

Recommended updates email includes excerpts from Private/Restricted pages

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-29254. panel The recommended updates email will include pages that are restricted, so all users will see an excerpt of that page...

UI Redressing (Clickjacking)

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-29230. panel Confluence is vulnerable to Clickjacking|https://en.wikipedia.org/wiki/Clickjacking. That is, it is possible to fra...

UI Redressing (Clickjacking)

Confluence is vulnerable to Clickjacking|https://en.wikipedia.org/wiki/Clickjacking. That is, it is possible to frame confluence from a page hosted in a different domain and trick the user into performing an action they did not intend to perform, for example changing their display name. This issu...

UI Redressing (Clickjacking)

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-29230. panel Confluence is vulnerable to Clickjacking|https://en.wikipedia.org/wiki/Clickjacking. That is, it is possible to fra...

UI Redressing (Clickjacking)

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-29230. panel Confluence is vulnerable to Clickjacking|https://en.wikipedia.org/wiki/Clickjacking. That is, it is possible to...

Several XSS flaws in the /rest/tinymce/1

I've found several XSS in the urls and parameters listed below. The criticality of the issues is moderated since only browsers that perform content sniffing would be affected e.g. IE7. This limitation comes from the response's Content Type header being set as text/plain. The classical payload...

Several XSS flaws in the /rest/tinymce/1

I've found several XSS in the urls and parameters listed below. The criticality of the issues is moderated since only browsers that perform content sniffing would be affected e.g. IE7. This limitation comes from the response's Content Type header being set as text/plain. The classical payload...

Several XSS flaws in the /rest/tinymce/1

I've found several XSS in the urls and parameters listed below. The criticality of the issues is moderated since only browsers that perform content sniffing would be affected e.g. IE7. This limitation comes from the response's Content Type header being set as text/plain. The classical payload...

JIRA changes base url without asking for admin authentication

If you access JIRA with the wrong url it tells you that and gives you the options of either hiding the message or updating the base url. If you click the "Update the base url" link, the base url WILL BE CHANGED to that, WITHOUT asking you for admin credentials...

JIRA changes base url without asking for admin authentication

If you access JIRA with the wrong url it tells you that and gives you the options of either hiding the message or updating the base url. If you click the "Update the base url" link, the base url WILL BE CHANGED to that, WITHOUT asking you for admin credentials...

JIRA changes base url without asking for admin authentication

If you access JIRA with the wrong url it tells you that and gives you the options of either hiding the message or updating the base url. If you click the "Update the base url" link, the base url WILL BE CHANGED to that, WITHOUT asking you for admin credentials...

SPAM via Answer

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-47171. panel I have received an email notification containing a link as an aswer one of my questions. It turns out that a spam....

SPAM via Answer

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47171. panel I have received an email notification containing a link as an aswer one of my questions. It turns out that a spam. ...

SPAM via Answer

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47171. panel I have received an email notification containing a link as an aswer one of my questions. It turns out that a spam. ...

SPAM via Answer

I have received an email notification containing a link as an aswer one of my questions. It turns out that a spam. I went online check my question and saw that the answer is not on it. So I believe this is very serious issue as we all trust and gave some personal information to Atlassian. Please...

Path traversal in HtmlExporter.java and FileXmlExporter.java

Both HtmlExporter.java and FileXmlExporter.java use the prepareExportFileName method inherited from AbstractExporterImpl.java|https://stash.atlassian.com/projects/CONF/repos/confluence/browse/confluence-core/confluence/src/java/com/atlassian/confluence/importexport/impl/AbstractExporterImpl.java9...

Path traversal in HtmlExporter.java and FileXmlExporter.java

Both HtmlExporter.java and FileXmlExporter.java use the prepareExportFileName method inherited from AbstractExporterImpl.java|https://stash.atlassian.com/projects/CONF/repos/confluence/browse/confluence-core/confluence/src/java/com/atlassian/confluence/importexport/impl/AbstractExporterImpl.java9...

Path traversal in HtmlExporter.java and FileXmlExporter.java

Both HtmlExporter.java and FileXmlExporter.java use the prepareExportFileName method inherited from AbstractExporterImpl.java|https://stash.atlassian.com/projects/CONF/repos/confluence/browse/confluence-core/confluence/src/java/com/atlassian/confluence/importexport/impl/AbstractExporterImpl.java9...

GetResourceServlet pre-auth arbitrary file download vulnerability

The GetResourceServlet Servlet is vulnerable to an arbitrary file download attack. As the Servlet doesn’t implement its own authorization checks, this can be exploited anonymously. By taking an attacker controlled name parameter and using this in a call to URLConnection.openConnection, an attacke...

GetResourceServlet pre-auth arbitrary file download vulnerability

The GetResourceServlet Servlet is vulnerable to an arbitrary file download attack. As the Servlet doesn’t implement its own authorization checks, this can be exploited anonymously. By taking an attacker controlled name parameter and using this in a call to URLConnection.openConnection, an attacke...

ResolveURLServlet pre-auth arbitrary file download vulnerability

The ResolveURLServlet Servlet is vulnerable to an arbitrary file download attack. As the Servlet doesn’t implement its own authorization checks, this can be exploited anonymously. By taking an attacker controlled url parameter and using this in a call to URLConnection.openConnection, an attacker...

ResolveURLServlet pre-auth arbitrary file download vulnerability

The ResolveURLServlet Servlet is vulnerable to an arbitrary file download attack. As the Servlet doesn’t implement its own authorization checks, this can be exploited anonymously. By taking an attacker controlled url parameter and using this in a call to URLConnection.openConnection, an attacker...

External image sources can trigger a basic authentication dialogue

When an external resourcee.g. http://foo.com/image.jpeg is used as the source of an image tag, if the external resource returns a 401 response code and sets a WWW-Authenticate header then the browsers standard 'Basic authentication' dialogue will pop up within on the confluence page. While this i...

External image sources can trigger a basic authentication dialogue

When an external resourcee.g. http://foo.com/image.jpeg is used as the source of an image tag, if the external resource returns a 401 response code and sets a WWW-Authenticate header then the browsers standard 'Basic authentication' dialogue will pop up within on the confluence page. While this i...

External image sources can trigger a basic authentication dialogue

When an external resourcee.g. http://foo.com/image.jpeg is used as the source of an image tag, if the external resource returns a 401 response code and sets a WWW-Authenticate header then the browsers standard 'Basic authentication' dialogue will pop up within on the confluence page. While this i...

SSL Enabled but some link point to http:// instead of https://

This scenario will happen if enable both HTTP8090 and HTTPS8433 and 'Server Base Url' is set to HTTP. Reproduce procedures 1. Access confluence via HTTPS 2. Click menu 'Space' at the top menu 3. At 'Space Directory' page, click any of the menu at the left side eg. All spaces etc. then click link ...

SSL Enabled but some link point to http:// instead of https://

This scenario will happen if enable both HTTP8090 and HTTPS8433 and 'Server Base Url' is set to HTTP. Reproduce procedures 1. Access confluence via HTTPS 2. Click menu 'Space' at the top menu 3. At 'Space Directory' page, click any of the menu at the left side eg. All spaces etc. then click link ...

SSL Enabled but some link point to http:// instead of https://

This scenario will happen if enable both HTTP8090 and HTTPS8433 and 'Server Base Url' is set to HTTP. Reproduce procedures 1. Access confluence via HTTPS 2. Click menu 'Space' at the top menu 3. At 'Space Directory' page, click any of the menu at the left side eg. All spaces etc. then click link ...

Workbox (Notifications and Tasks) leaks restricted information from a jira issue

If a confluence instance is configured to pull notifications from a JIRA server then if a user 'B' not in group 'A' watches an issue and a comment is added to the issue restricted to group 'A' then user 'B' is able to see the contents of the restricted comment via the "Notifications and Tasks"...

Workbox (Notifications and Tasks) leaks restricted information from a jira issue

If a confluence instance is configured to pull notifications from a JIRA server then if a user 'B' not in group 'A' watches an issue and a comment is added to the issue restricted to group 'A' then user 'B' is able to see the contents of the restricted comment via the "Notifications and Tasks"...

Workbox (Notifications and Tasks) leaks restricted information from a jira issue

If a confluence instance is configured to pull notifications from a JIRA server then if a user 'B' not in group 'A' watches an issue and a comment is added to the issue restricted to group 'A' then user 'B' is able to see the contents of the restricted comment via the "Notifications and Tasks"...

Editing "Global Templates" possible without admin login

If you are logged in to the admin panel you get the following line: quoteYou have temporary access to administrative functions. Drop access if you no longer require it. For more information, refer to the documentation.quote Pressing "Drop access" redirects you to the normal Wiki page, away from t...

Editing "Global Templates" possible without admin login

If you are logged in to the admin panel you get the following line: quoteYou have temporary access to administrative functions. Drop access if you no longer require it. For more information, refer to the documentation.quote Pressing "Drop access" redirects you to the normal Wiki page, away from t...

Editing "Global Templates" possible without admin login

If you are logged in to the admin panel you get the following line: quoteYou have temporary access to administrative functions. Drop access if you no longer require it. For more information, refer to the documentation.quote Pressing "Drop access" redirects you to the normal Wiki page, away from t...

Restrict access to personal pages and directory

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-28592. panel We need to restrict access to personal pages and the directory. At present, there doesn't seem to be any way to do...

Restrict access to personal pages and directory

We need to restrict access to personal pages and the directory. At present, there doesn't seem to be any way to do this. We have some guest accounts that we want to share a particular space with but unfortunately, we can not do that as all of the content in personal spaces and our directory are...

Restrict access to personal pages and directory

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-28592. panel We need to restrict access to personal pages and the directory. At present, there doesn't seem to be any way to do...

Custom Seraph Authenticators broken in Confluence 5.0

The constructor signature of com.atlassian.confluence.event.events.security.LoginEvent changed between Confluence 4.3.x and 5.0 - an additional String parameter was added to the constructor. From this: code public LoginEventObject src, String username, String sessionId, String remoteHost, String...

Custom Seraph Authenticators broken in Confluence 5.0

The constructor signature of com.atlassian.confluence.event.events.security.LoginEvent changed between Confluence 4.3.x and 5.0 - an additional String parameter was added to the constructor. From this: code public LoginEventObject src, String username, String sessionId, String remoteHost, String...

Custom Seraph Authenticators broken in Confluence 5.0

The constructor signature of com.atlassian.confluence.event.events.security.LoginEvent changed between Confluence 4.3.x and 5.0 - an additional String parameter was added to the constructor. From this: code public LoginEventObject src, String username, String sessionId, String remoteHost, String...

XSS in /secure/admin/AssociateProjectRepPath!default.jspa

fromScreen is passed unfiltered into the results page. Contents of the field persist through the "missing XSRF token" screen, so exploitation is trivial - just get your victim to click on the link without a token. noformat GET...

XSS in /secure/admin/AssociateProjectRepPath!default.jspa

fromScreen is passed unfiltered into the results page. Contents of the field persist through the "missing XSRF token" screen, so exploitation is trivial - just get your victim to click on the link without a token. noformat GET...

XSS in /secure/admin/TempoServicesAccess.jspa

allowedIPAccresses is passed unfiltered into the results page. Contents of the field persist through the "missing XSRF token" screen, so exploitation is trivial - just get your victim to click on the link without a token. noformat...

XSS in /secure/admin/TempoServicesAccess.jspa

allowedIPAccresses is passed unfiltered into the results page. Contents of the field persist through the "missing XSRF token" screen, so exploitation is trivial - just get your victim to click on the link without a token. noformat...

XSS in organisationId in /secure/admin/UpdateBitbucketCredentials.jspa

OrganisationId is passed unfiltered into the results page. Contents of the field persist through the "missing XSRF token" screen, so exploitation is trivial - just get your victim to click on the link. noformat GET...

XSS in organisationId in /secure/admin/UpdateBitbucketCredentials.jspa

OrganisationId is passed unfiltered into the results page. Contents of the field persist through the "missing XSRF token" screen, so exploitation is trivial - just get your victim to click on the link. noformat GET...

Activity stream not respecting parent page restrictions

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-28543. panel The Confluence Activity stream will display all pages that the user has access to according to the restrictions...