XSS bug in detail view epic name lozenge rendering

6.1 introduced an xss bug in the detail view, more specifically in the epic field that displays to which epic an issue belongs to...

Encrypt Database Password in dbconfig.xml or use integrated authentication

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-31004. panel panel:title=Atlassian Update – 5 January 2016|borderStyle=solid|borderColor=ebf2f9 | titleBGColor=ebf2f9 | bgColor=ffffff Hi...

Encrypt Database Password in dbconfig.xml or use integrated authentication

panel:title=Atlassian Update – 5 January 2016|borderStyle=solid|borderColor=ebf2f9 | titleBGColor=ebf2f9 | bgColor=ffffff Hi everyone, Thanks for voting and commenting on this issue. While we understand the importance of this issue for our customers with strict password encryption requirements, w...

Encrypt Database Password in dbconfig.xml or use integrated authentication

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-31004. panel JIRA should Encrypt the database password since it's in plain text in the dbconfig.xml file or it could use the integrated...

CreateSupportZipAction directory traversal

There’s a directory traversal vulnerability in the CreateSupportZipAction action that allows a malicious user to include arbitrary log files into a support zip. This is because the SupportUtility object is marked as @ParameterSafe, and no validation is performed on its serverLogsDirectory path...

CreateSupportZipAction directory traversal

There’s a directory traversal vulnerability in the CreateSupportZipAction action that allows a malicious user to include arbitrary log files into a support zip. This is because the SupportUtility object is marked as @ParameterSafe, and no validation is performed on its serverLogsDirectory path...

BuildEdgeIndexServlet XSRF

The BuildEdgeIndexServlet is responsible for rebuilding the edge index. As this is a servlet and not a Webwork action, XSRF checks must be implemented programmatically. The Servlet does not currently implement any XSRF token checks, meaning the edge index can be forced to be rebuilt when attacked...

BuildEdgeIndexServlet XSRF

The BuildEdgeIndexServlet is responsible for rebuilding the edge index. As this is a servlet and not a Webwork action, XSRF checks must be implemented programmatically. The Servlet does not currently implement any XSRF token checks, meaning the edge index can be forced to be rebuilt when attacked...

UploadAttachmentsAction XSRF

The UploadAttachmentsAction action is declared to use a validatingStack interceptor chain, but does not use the RequiresSecurityToken element, leaving it open to an XSRF attack. If this were exploited, an attacker could force a user’s browser to upload files into a space they have write permissio...

UploadAttachmentsAction XSRF

The UploadAttachmentsAction action is declared to use a validatingStack interceptor chain, but does not use the RequiresSecurityToken element, leaving it open to an XSRF attack. If this were exploited, an attacker could force a user’s browser to upload files into a space they have write permissio...

Fix XSS vulnerabilities in managereferrers.vm and importword.vm

Scope of this issue is to address two specific XSS vulnerabilies. The scope of fixing i18n parameters is tracked elsewhere|https://jira.atlassian.com/browse/CONF-15548. Please see the comment below for...

Fix XSS vulnerabilities in managereferrers.vm and importword.vm

Scope of this issue is to address two specific XSS vulnerabilies. The scope of fixing i18n parameters is tracked elsewhere|https://jira.atlassian.com/browse/CONF-15548. Please see the comment below for...

Webwork direct method invocation can bypass validatingStack through Action aliases

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-27294. panel WebWork supports the concept of action aliases, which allow a single action class to serve requests mapping to...

Webwork direct method invocation can bypass validatingStack through Action aliases

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-27294. panel WebWork supports the concept of action aliases, which allow a single action class to serve requests mapping to...

Webwork direct method invocation can bypass validatingStack through Action aliases

WebWork supports the concept of action aliases, which allow a single action class to serve requests mapping to different names. This allows a developer to reuse the same action logic, but provide different results based on interceptors. When an action is invoked, Webwork will typically call its...

Webwork direct method invocation can bypass validatingStack through Action aliases

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-27294. panel WebWork supports the concept of action aliases, which allow a single action class to serve requests mapping to...

XSS in Issue Collector

Hi Atlassian! There is a XSS vulnerability in the issue collector: File: /atlassian-jira-5.1.8-source/jira-issue-collector-plugin/src/main/resources/templates/view-collector.vm Line 82: $issue.summary Anonymous users can inject JS in the issue summary which usually will be executed by users with...

XSS in Issue Collector

Hi Atlassian! There is a XSS vulnerability in the issue collector: File: /atlassian-jira-5.1.8-source/jira-issue-collector-plugin/src/main/resources/templates/view-collector.vm Line 82: $issue.summary Anonymous users can inject JS in the issue summary which usually will be executed by users with...

XSS in Issue Collector

Hi Atlassian! There is a XSS vulnerability in the issue collector: File: /atlassian-jira-5.1.8-source/jira-issue-collector-plugin/src/main/resources/templates/view-collector.vm Line 82: $issue.summary Anonymous users can inject JS in the issue summary which usually will be executed by users with...

On Windows, Fisheye attempts to make ssh keys private but appears to be unsucessful

While testing FE-4315 on Windows, I noticed that even when generating a private key using Fisheye, the files permissions do not appear to actually change. The code to make the file private is this, in FileSystemUtils: code if SystemUtils.ISOSWINDOWS String username = System.getenv"USERNAME"; Stri...

On Windows, Fisheye attempts to make ssh keys private but appears to be unsucessful

While testing FE-4315 on Windows, I noticed that even when generating a private key using Fisheye, the files permissions do not appear to actually change. The code to make the file private is this, in FileSystemUtils: code if SystemUtils.ISOSWINDOWS String username = System.getenv"USERNAME"; Stri...

Persistent XSS in JIRA charting plugin Workload Pie Chart Report

The Workload Pie Chart Report included with the JIRA charting plugin contains a number of XSS vulnerabilities. This plugin is bundled with OnDemand. The configuration page contains an XSS vulnerability in custom field names. 1. Create a custom field with the name alert'custom field' 2. Try to...

Persistent XSS in JIRA charting plugin Workload Pie Chart Report

The Workload Pie Chart Report included with the JIRA charting plugin contains a number of XSS vulnerabilities. This plugin is bundled with OnDemand. The configuration page contains an XSS vulnerability in custom field names. 1. Create a custom field with the name alert'custom field' 2. Try to...

Persistent XSS in JIRA charting plugin Workload Pie Chart Report

The Workload Pie Chart Report included with the JIRA charting plugin contains a number of XSS vulnerabilities. This plugin is bundled with OnDemand. The configuration page contains an XSS vulnerability in custom field names. 1. Create a custom field with the name alert'custom field' 2. Try to...

Inactive users still receiving emails from "Send email" function

The JIRA documentation for deactivating users says, bq. Will not receive any email notifications from JIRA, even if they continue to remain the assignee, reporter, or watchers of issues. However, when users have been marked as inactive they are not excluded from emails sent to groups via the 'Sen...

Inactive users still receiving emails from "Send email" function

The JIRA documentation for deactivating users says, bq. Will not receive any email notifications from JIRA, even if they continue to remain the assignee, reporter, or watchers of issues. However, when users have been marked as inactive they are not excluded from emails sent to groups via the 'Sen...

Inactive users still receiving emails from "Send email" function

The JIRA documentation for deactivating users says, bq. Will not receive any email notifications from JIRA, even if they continue to remain the assignee, reporter, or watchers of issues. However, when users have been marked as inactive they are not excluded from emails sent to groups via the 'Sen...

Arbitrary resource file download in urlrewrite.xml

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-26888. panel There is an arbitrary resource file download vulnerability triggered by a third party library...

Arbitrary resource file download in urlrewrite.xml

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-26888. panel There is an arbitrary resource file download vulnerability triggered by a third party library...

Arbitrary resource file download in urlrewrite.xml

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-26888. panel There is an arbitrary resource file download vulnerability triggered by a third party library...

Arbitrary resource file download in urlrewrite.xml

There is an arbitrary resource file download vulnerability triggered by a third party library org.tuckey.web.filters.urlrewrite.UrlRewriteFilter. The urlrewrite.xml rules file shows the pattern that will trigger a forward rule, which is the equivelant of performing dp =...

XSS vulnerability in atlassian-bonfire-plugin pagination

There is an XSS vulnerability present in the pagination of Bonfire sessions. Steps to reproduce: 1. Create a user with username '" onmouseover="alert4321" blah="' without the single quotes 2. Create at least 21 test sessions owned by this user 3. Visit the user's profile page and click on the tes...

JIRA REST API makes it easy to harvest email addresses

The JIRA REST API makes it easy to harvest email addresses as an anonymous user. 1. Go to https://jira.atlassian.com/browseJRA-22053 as anonymous. Note that you can't extract email addresses from this page unless the user has used an email address as her username. 2. Now go to...

JIRA REST API makes it easy to harvest email addresses

The JIRA REST API makes it easy to harvest email addresses as an anonymous user. 1. Go to https://jira.atlassian.com/browseJRA-22053 as anonymous. Note that you can't extract email addresses from this page unless the user has used an email address as her username. 2. Now go to...

JIRA REST API makes it easy to harvest email addresses

The JIRA REST API makes it easy to harvest email addresses as an anonymous user. 1. Go to https://jira.atlassian.com/browseJRA-22053 as anonymous. Note that you can't extract email addresses from this page unless the user has used an email address as her username. 2. Now go to...

Reflected XSS in Create Issue Details page

The Create Issue Detail page is vulnerable to reflected XSS. 1. Login to https://$JIRA/ 2. Visit https://$JIRA/secure/CreateIssueDetails.jspa?reporter="alert'XSS'alert'XSS'p+name%3D"&pid=10000&issuetype=2...

Reflected XSS in Create Issue Details page

The Create Issue Detail page is vulnerable to reflected XSS. 1. Login to https://$JIRA/ 2. Visit https://$JIRA/secure/CreateIssueDetails.jspa?reporter="alert'XSS'alert'XSS'p+name%3D"&pid=10000&issuetype=2...

Reflected XSS in Create Issue Details page

The Create Issue Detail page is vulnerable to reflected XSS. 1. Login to https://$JIRA/ 2. Visit https://$JIRA/secure/CreateIssueDetails.jspa?reporter="alert'XSS'alert'XSS'p+name%3D"&pid=10000&issuetype=2...

File Attachment persistent XSS

There is a persistent XSS vulnerability in the attachment download functionality of Confluence. By uploading a malicious executable file type like SVG scalable vector graphics with embedded JavaScript, it’s possible for an attacker to execute arbitrary code under the context of the logged in user...

File Attachment persistent XSS

There is a persistent XSS vulnerability in the attachment download functionality of Confluence. By uploading a malicious executable file type like SVG scalable vector graphics with embedded JavaScript, it’s possible for an attacker to execute arbitrary code under the context of the logged in user...

Persistent xss within build and plan labels

Labels are not escaped when rendered in several resources and so are a persistent xss vector. Some example resources where this can be seen include: plan configuration, plan viewing, http://$host/bamboo/build/label/viewLabels.action and allPlans.action as filter options. An example label which ca...

Persistent xss within build and plan labels

Labels are not escaped when rendered in several resources and so are a persistent xss vector. Some example resources where this can be seen include: plan configuration, plan viewing, http://$host/bamboo/build/label/viewLabels.action and allPlans.action as filter options. An example label which ca...

Reflected xss in the System Notifications administration resource

The System Notifications administration resource is vulnerable to reflected xss through the url used to address the resource and any included parameters. For example: 1. http://localhost:8085/admin19279%27%20+%20alert%281%29%20+%27//904/viewSystemNotifications.action 2...

Reflected xss in the System Notifications administration resource

The System Notifications administration resource is vulnerable to reflected xss through the url used to address the resource and any included parameters. For example: 1. http://localhost:8085/admin19279%27%20+%20alert%281%29%20+%27//904/viewSystemNotifications.action 2...

persistent xss in a user's username within mentions within comments

A user's username is injected into the "rel" attribute of the user mention link without being encoded properly. This means that if the username contains a " character then new attributes can be injected into the user mention link element. Hence, providing a persistent xss vector. To reproduce thi...

persistent xss in a user's username within mentions within comments

A user's username is injected into the "rel" attribute of the user mention link without being encoded properly. This means that if the username contains a " character then new attributes can be injected into the user mention link element. Hence, providing a persistent xss vector. To reproduce thi...

persistent xss in a user's username within mentions within comments

A user's username is injected into the "rel" attribute of the user mention link without being encoded properly. This means that if the username contains a " character then new attributes can be injected into the user mention link element. Hence, providing a persistent xss vector. To reproduce thi...

Potential persistent xss in fixCaseInNotifications.jsp

There is a difficult to exploit XSS in fixCaseInNotifications.jsp. We could not get it to trigger, but there are some scenarios where unescaped data can be displayed through fix method correctName, userNameToFix. The relevant code is as follows: code NotificationCaseFixer caseFixer = new...

Potential persistent xss in fixCaseInNotifications.jsp

There is a difficult to exploit XSS in fixCaseInNotifications.jsp. We could not get it to trigger, but there are some scenarios where unescaped data can be displayed through fix method correctName, userNameToFix. The relevant code is as follows: code NotificationCaseFixer caseFixer = new...

Potential persistent xss in fixCaseInNotifications.jsp

There is a difficult to exploit XSS in fixCaseInNotifications.jsp. We could not get it to trigger, but there are some scenarios where unescaped data can be displayed through fix method correctName, userNameToFix. The relevant code is as follows: code NotificationCaseFixer caseFixer = new...