Potential remote code execution due to embedding of old django-piston

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46819. panel The exposed atlassian api for forummodules found under forummodules/atlassian/api uses an outdated version of...

Potential remote code execution due to embedding of old django-piston

panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46819. panel The exposed atlassian api for forummodules found under forummodules/atlassian/api uses an outdated version of...

Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-26049. panel h5. Note - as of Confluence 5.1.3 you can make an SSL LDAP connection that doesn't verify that the hostname and...

Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-26049. panel h5. Note - as of Confluence 5.1.3 you can make an SSL LDAP connection that doesn't verify that the hostname and...

Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match

h5. Note - as of Confluence 5.1.3 you can make an SSL LDAP connection that doesn't verify that the hostname and certificate match by unchecking this box when configuring your user directory: !Screen Shot 2013-04-16 at 3.10.37 PM.png! ---- h5. Original issue description Starting Confluence 4.2, th...

XSS vulnerability in Office Connector plugin

From: OFFCONN-81: Using "office excel"-macro as part of viewfile, which is part of office connector plugin seems to open up the possibility to get injected with XSS-code. Steps to reproduce: 1. Create an excel-file with following content in one cell: code '"alert'XSS' code 2. Attach this file to ...

XSS vulnerability in Office Connector plugin

From: OFFCONN-81: Using "office excel"-macro as part of viewfile, which is part of office connector plugin seems to open up the possibility to get injected with XSS-code. Steps to reproduce: 1. Create an excel-file with following content in one cell: code '"alert'XSS' code 2. Attach this file to ...

XSS vulnerability in Office Connector plugin

From: OFFCONN-81: Using "office excel"-macro as part of viewfile, which is part of office connector plugin seems to open up the possibility to get injected with XSS-code. Steps to reproduce: 1. Create an excel-file with following content in one cell: code '"alert'XSS' code 2. Attach this file to ...

XSS vulnerability in the "move" page action with html/js in the page name

There is an persistent xss vector in the 'move' page action on a page, where the javascript/html payload is included in the name of the page. Steps to reproduce: 1.create a page named: "''/'kasdfjas'dfasdf 2. on the page click on the "move" option under the tools drop-down menu 3. see an alert bo...

XSS vulnerability in the "move" page action with html/js in the page name

There is an persistent xss vector in the 'move' page action on a page, where the javascript/html payload is included in the name of the page. Steps to reproduce: 1.create a page named: "''/'kasdfjas'dfasdf 2. on the page click on the "move" option under the tools drop-down menu 3. see an alert bo...

XSS vulnerability in the "move" page action with html/js in the page name

There is an persistent xss vector in the 'move' page action on a page, where the javascript/html payload is included in the name of the page. Steps to reproduce: 1.create a page named: "''/'kasdfjas'dfasdf 2. on the page click on the "move" option under the tools drop-down menu 3. see an alert bo...

Password Reset doesn't recognise spaces in usernames

When I enter my new password and submit the page, it responds with a message about the username 'philip', but my username is 'philip widan'. There was a similar issue with the Bonfire plugin, which required an upgrade to JIRA v5 to resolve. The URL I clicked on to get to the password reset page...

Password Reset doesn't recognise spaces in usernames

When I enter my new password and submit the page, it responds with a message about the username 'philip', but my username is 'philip widan'. There was a similar issue with the Bonfire plugin, which required an upgrade to JIRA v5 to resolve. The URL I clicked on to get to the password reset page...

Password Reset doesn't recognise spaces in usernames

When I enter my new password and submit the page, it responds with a message about the username 'philip', but my username is 'philip widan'. There was a similar issue with the Bonfire plugin, which required an upgrade to JIRA v5 to resolve. The URL I clicked on to get to the password reset page...

User can upload attachments to restricted pages that adopt restrictions from parent page

Users that should have no access to restricted pages that adopt restrictions from the parent page are able to upload attachments if they know the page ID. How to reproduce: 1. Create 2 users, user1 and user2 2. Create a page with user1 and set the page view and edit restrictions to "Me" 3. Create...

User can upload attachments to restricted pages that adopt restrictions from parent page

Users that should have no access to restricted pages that adopt restrictions from the parent page are able to upload attachments if they know the page ID. How to reproduce: 1. Create 2 users, user1 and user2 2. Create a page with user1 and set the page view and edit restrictions to "Me" 3. Create...

User can upload attachments to restricted pages that adopt restrictions from parent page

Users that should have no access to restricted pages that adopt restrictions from the parent page are able to upload attachments if they know the page ID. How to reproduce: 1. Create 2 users, user1 and user2 2. Create a page with user1 and set the page view and edit restrictions to "Me" 3. Create...

persistent xss through flash swf file attachment download

It is possible to upload a flash swf file which when the attachment 'download' url is visited the flash swf file is executed in the browser and as such can use ExternalInterface.call method to inject javascript defined in the swf file into the browser...

persistent xss through flash swf file attachment download

It is possible to upload a flash swf file which when the attachment 'download' url is visited the flash swf file is executed in the browser and as such can use ExternalInterface.call method to inject javascript defined in the swf file into the browser...

persistent xss through flash swf file attachment download

It is possible to upload a flash swf file which when the attachment 'download' url is visited the flash swf file is executed in the browser and as such can use ExternalInterface.call method to inject javascript defined in the swf file into the browser...

persistent xss through flash swf file attachment download

It is possible to upload a flash swf file which when the attachment 'download' url is visited the flash swf file is executed in the browser and as such can use ExternalInterface.call method to inject javascript defined in the swf file into the browser...

multimedia macro allows execution of arbitrary scripts

The multimedia macro in confluence embeds a swf without the 'allowScriptAccess' attribute set to 'none'. This allows the embedded user submitted swf to execute arbitrary javascript on the page, constituting an XSS vulnerability. The multimedia tag is bundled in with the base product and not an...

multimedia macro allows execution of arbitrary scripts

The multimedia macro in confluence embeds a swf without the 'allowScriptAccess' attribute set to 'none'. This allows the embedded user submitted swf to execute arbitrary javascript on the page, constituting an XSS vulnerability. The multimedia tag is bundled in with the base product and not an...

multimedia macro allows execution of arbitrary scripts

The multimedia macro in confluence embeds a swf without the 'allowScriptAccess' attribute set to 'none'. This allows the embedded user submitted swf to execute arbitrary javascript on the page, constituting an XSS vulnerability. The multimedia tag is bundled in with the base product and not an...

crowd.properties password entry in plain text

The entry application.password in JIRA's crowd.properties is in plain text, it needs to create an option to use encrypted or hashed value...

persistent xss through svg file attachment download

The fix for CONF-22132 was not sufficient because "svg" files are not "said" to be xml by the isXml method. This means that is possible for a malicious party to upload a svg file containing html/javascript which will be rendered in victim's web browser. This bug should have been raised a while ag...

persistent xss through svg file attachment download

The fix for CONF-22132 was not sufficient because "svg" files are not "said" to be xml by the isXml method. This means that is possible for a malicious party to upload a svg file containing html/javascript which will be rendered in victim's web browser. This bug should have been raised a while ag...

persistent xss through svg file attachment download

The fix for CONF-22132 was not sufficient because "svg" files are not "said" to be xml by the isXml method. This means that is possible for a malicious party to upload a svg file containing html/javascript which will be rendered in victim's web browser. This bug should have been raised a while ag...

persistent xss through svg file attachment download

The fix for CONF-22132 was not sufficient because "svg" files are not "said" to be xml by the isXml method. This means that is possible for a malicious party to upload a svg file containing html/javascript which will be rendered in victim's web browser. This bug should have been raised a while ag...

Several REST interfaces vulnerable to XSRF

Several REST web services are vulnerable to XSRF|https://www.owasp.org/index.php/Cross-SiteRequestForgeryCSRF, allowing malicious web pages to execute them under the context of a logged in users browser. It's understood that JIRA REST interfaces are typically protected against XSRF based on the...

Several REST interfaces vulnerable to XSRF

Several REST web services are vulnerable to XSRF|https://www.owasp.org/index.php/Cross-SiteRequestForgeryCSRF, allowing malicious web pages to execute them under the context of a logged in users browser. It's understood that JIRA REST interfaces are typically protected against XSRF based on the...

Several REST interfaces vulnerable to XSRF

Several REST web services are vulnerable to XSRF|https://www.owasp.org/index.php/Cross-SiteRequestForgeryCSRF, allowing malicious web pages to execute them under the context of a logged in users browser. It's understood that JIRA REST interfaces are typically protected against XSRF based on the...

Javascript escape the value of "dark features" within the javascript context they are rendered out in

Current user specific dark feature values are not javascript escaped in the javascript context they exist in. e.g. the value "' + evalalert1 ' +" without the double quotes appears like the following in the feature javascript context: / Dark features are features that can enabled and disabled per...

Javascript escape the value of "dark features" within the javascript context they are rendered out in

Current user specific dark feature values are not javascript escaped in the javascript context they exist in. e.g. the value "' + evalalert1 ' +" without the double quotes appears like the following in the feature javascript context: / Dark features are features that can enabled and disabled per...

The "user" Dark Features page is vulnerable to XSRF/csrf

The "User Dark Features" page located at $host/secure/ViewProfile.jspa?selectedTab=jira.user.profile.panels:up-darkfeatures-panel allows users to add dark features which only affect themselves. However, it is not protected against XSRF attacks. Note: the 'value' of dark features is not properly...

The "user" Dark Features page is vulnerable to XSRF/csrf

The "User Dark Features" page located at $host/secure/ViewProfile.jspa?selectedTab=jira.user.profile.panels:up-darkfeatures-panel allows users to add dark features which only affect themselves. However, it is not protected against XSRF attacks. Note: the 'value' of dark features is not properly...

The "user" Dark Features page is vulnerable to XSRF/csrf

The "User Dark Features" page located at $host/secure/ViewProfile.jspa?selectedTab=jira.user.profile.panels:up-darkfeatures-panel allows users to add dark features which only affect themselves. However, it is not protected against XSRF attacks. Note: the 'value' of dark features is not properly...

OauthApplinksServlet Open Redirect

The OauthApplinksServlet servlet has an open redirect vulnerability in the doGet that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated before redirec...

OauthApplinksServlet Open Redirect

The OauthApplinksServlet servlet has an open redirect vulnerability in the doGet that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated before redirec...

OauthApplinksServlet Open Redirect

The OauthApplinksServlet servlet has an open redirect vulnerability in the doGet that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated before redirec...

ConsumerConfigurationServlet Open Redirect

The ConsumerConfigurationServlet servlet has an open redirect vulnerability in the doGet method that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated...

ConsumerConfigurationServlet Open Redirect

The ConsumerConfigurationServlet servlet has an open redirect vulnerability in the doGet method that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated...

ConsumerConfigurationServlet Open Redirect

The ConsumerConfigurationServlet servlet has an open redirect vulnerability in the doGet method that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated...

AddConsumerReciprocalServlet Open Redirect

The AddConsumerReciprocalServlet servlet has an open redirect vulnerability in the doGet method that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated...

AddConsumerReciprocalServlet Open Redirect

The AddConsumerReciprocalServlet servlet has an open redirect vulnerability in the doGet method that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated...

AddConsumerReciprocalServlet Open Redirect

The AddConsumerReciprocalServlet servlet has an open redirect vulnerability in the doGet method that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated...

CSRF in the "configure custom field" Multi Checkboxes add new custom field option screen

The administration screen which facilitates the addition of new custom field options is vulnerable to csrf, as it does not check that the atltoken submitted is in fact legitimate for the user submitting it you can put in any value for the token field. To access this screen you can go to a url...

CSRF in the "configure custom field" Multi Checkboxes add new custom field option screen

The administration screen which facilitates the addition of new custom field options is vulnerable to csrf, as it does not check that the atltoken submitted is in fact legitimate for the user submitting it you can put in any value for the token field. To access this screen you can go to a url...

CSRF in the "configure custom field" Multi Checkboxes add new custom field option screen

The administration screen which facilitates the addition of new custom field options is vulnerable to csrf, as it does not check that the atltoken submitted is in fact legitimate for the user submitting it you can put in any value for the token field. To access this screen you can go to a url...

'/users/userpicker.action' exposes users loginids and full names in instance with anonymous access enabled

quote LDAP directory users and groups exposed via the /users/userpicker.action. There should be an option to restrict this to authenticated users only and perhaps this should be the default behavior. quote quote The second exposed function that is part of this vulnerability is...