4195 matches found
Disable browser password save on Admin page in Firefox
In Chrome, Safari and IE there is no browser prompt to store the password but on Firefox both Mac and Windows I get prompted to save the password. We are only concerned about this for the Admin page password prompt specifically...
Disable browser password save on Admin page in Firefox
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-25008. panel In Chrome, Safari and IE there is no browser prompt to store the password but on Firefox both Mac and Windows I ge...
Direct access to issue via url discloses structure without authentication
If an issue is accessed via the direct url an error message discloses if the issue is existent or not - even when the use isn't logged-in. In contrast, an existing issue redirects to the login form. This knowledge may open an attack vector on private Jira instances that require authentication...
Direct access to issue via url discloses structure without authentication
If an issue is accessed via the direct url an error message discloses if the issue is existent or not - even when the use isn't logged-in. In contrast, an existing issue redirects to the login form. This knowledge may open an attack vector on private Jira instances that require authentication...
Direct access to issue via url discloses structure without authentication
If an issue is accessed via the direct url an error message discloses if the issue is existent or not - even when the use isn't logged-in. In contrast, an existing issue redirects to the login form. This knowledge may open an attack vector on private Jira instances that require authentication...
open redirect in flushcache.action
A skipfish scan of confluence found that flushcache.action is vulnerable to 'open redirect' as the returlUrl seems to send up in the Location HTTP header on a 302 redirect response. Note the token parameter in the here is an example attack using the flaw...
open redirect in flushcache.action
A skipfish scan of confluence found that flushcache.action is vulnerable to 'open redirect' as the returlUrl seems to send up in the Location HTTP header on a 302 redirect response. Note the token parameter in the here is an example attack using the flaw...
open redirect in flushcache.action
A skipfish scan of confluence found that flushcache.action is vulnerable to 'open redirect' as the returlUrl seems to send up in the Location HTTP header on a 302 redirect response. Note the token parameter in the here is an example attack using the flaw...
XSS Vulnerabilities in JIRA Attachments?
At the current moment, JIRA do not have any restrictions for attachment files, which allows users to upload malicious file into JIRA issues. This can be a problem when we open an attachments using Mozilla Firefox, since the browser allows us to open attachments using web browser. The steps to...
XSS Vulnerabilities in JIRA Attachments?
At the current moment, JIRA do not have any restrictions for attachment files, which allows users to upload malicious file into JIRA issues. This can be a problem when we open an attachments using Mozilla Firefox, since the browser allows us to open attachments using web browser. The steps to...
XSS Vulnerabilities in JIRA Attachments?
At the current moment, JIRA do not have any restrictions for attachment files, which allows users to upload malicious file into JIRA issues. This can be a problem when we open an attachments using Mozilla Firefox, since the browser allows us to open attachments using web browser. The steps to...
RSS feed over entire site gives information on restricted pages the user should not see
A customer has reported this issue via a comment on the documentation: http://confluence.atlassian.com/display/DOC/Working+with+RSS+Feeds?focusedCommentId=276627497comment-276627497 quote When someone has an RSS feed covering the whole Confluence instance, he is informed about changes in restrict...
RSS feed over entire site gives information on restricted pages the user should not see
A customer has reported this issue via a comment on the documentation: http://confluence.atlassian.com/display/DOC/Working+with+RSS+Feeds?focusedCommentId=276627497comment-276627497 quote When someone has an RSS feed covering the whole Confluence instance, he is informed about changes in restrict...
RSS feed over entire site gives information on restricted pages the user should not see
A customer has reported this issue via a comment on the documentation: http://confluence.atlassian.com/display/DOC/Working+with+RSS+Feeds?focusedCommentId=276627497comment-276627497 quote When someone has an RSS feed covering the whole Confluence instance, he is informed about changes in restrict...
Comment field on GH cards do not respect the comment visibility.
If you add the Comment field on any Issue Views on GH the field shows the latest comment but it doesn't inherit the comment visibility from Jira. This misbehaviour happens on Planning board and Task board with any GH views Summaries, Cards and Lists. Steps to Reproduce: Add the comment field to a...
Comment field on GH cards do not respect the comment visibility.
If you add the Comment field on any Issue Views on GH the field shows the latest comment but it doesn't inherit the comment visibility from Jira. This misbehaviour happens on Planning board and Task board with any GH views Summaries, Cards and Lists. Steps to Reproduce: Add the comment field to a...
Comment field on GH cards do not respect the comment visibility.
If you add the Comment field on any Issue Views on GH the field shows the latest comment but it doesn't inherit the comment visibility from Jira. This misbehaviour happens on Planning board and Task board with any GH views Summaries, Cards and Lists. Steps to Reproduce: Add the comment field to a...
LogToServer action lets anyone log messages to the server log
Available without authentication. This can be used to hide breakin attempts or fill the disk if no log rotation is in place...
LogToServer action lets anyone log messages to the server log
Available without authentication. This can be used to hide breakin attempts or fill the disk if no log rotation is in place...
Provide an abstract Seraph authenticator for SSO authenticators to subclass that reduces the plumbing code required to interact with Embedded Crowd
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-24358. panel This is currently the most comprehensive version I have so far compiled of the code a custom SSO authenticator for...
Provide an abstract Seraph authenticator for SSO authenticators to subclass that reduces the plumbing code required to interact with Embedded Crowd
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-24358. panel This is currently the most comprehensive version I have so far compiled of the code a custom SSO authenticator for...
Provide an abstract Seraph authenticator for SSO authenticators to subclass that reduces the plumbing code required to interact with Embedded Crowd
This is currently the most comprehensive version I have so far compiled of the code a custom SSO authenticator for Seraph must provide in order to not break any of the functionality in Confluence: https://bitbucket.org/jaysee00/example-confluence-sso-authenticator. It would be great if we could...
Upgrade Tomcat to latest minor version
See http://www.cvedetails.com/cve/CVE-2011-4084/. We're shipping 6.0.32 at the moment...
Upgrade Tomcat to latest minor version
See http://www.cvedetails.com/cve/CVE-2011-4084/. We're shipping 6.0.32 at the moment...
Upgrade Tomcat to latest minor version
See http://www.cvedetails.com/cve/CVE-2011-4084/. We're shipping 6.0.32 at the moment...
Activity Streams shows restricted content from Confluence
To reproduce: Create a test user Configure the user to only belong to the 'users' group Remove 'users' group from Confluence global permission, hence, 'users' group won't be able to use Confluence In the activity streams gadget in default JIRA dashboard, test user can still see Confluence...
Do not show registered users in quick search to anonymous users
Registered users appears in quick search, even when it's a search made by anonymous...
Do not show registered users in quick search to anonymous users
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-23985. panel Registered users appears in quick search, even when it's a search made by anonymous...
Do not show registered users in quick search to anonymous users
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-23985. panel Registered users appears in quick search, even when it's a search made by anonymous...
Issue key can be enumerated - Resolve Issue Feature
Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to horizontal privilege elevation attacks within the Resolve Issue feature, accessible through the given address:...
Issue key can be enumerated - Resolve Issue Feature
Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to horizontal privilege elevation attacks within the Resolve Issue feature, accessible through the given address:...
Issue key can be enumerated - Resolve Issue Feature
Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to horizontal privilege elevation attacks within the Resolve Issue feature, accessible through the given address:...
Permission Checking Bug in FishEye Changeset Tooltips
We have identified and fixed a permission checking bug in the FishEye changeset tooltips. Affected versions are 2.4.6 to 2.5.6 This bug allows users to view metadata for a changesets that they do not have permission to view. This issue is reported in our security advisory on the following page:...
Permission Checking Bug in FishEye Changeset Tooltips
We have identified and fixed a permission checking bug in the FishEye changeset tooltips. Affected versions are 2.4.6 to 2.5.6 This bug allows users to view metadata for a changesets that they do not have permission to view. This issue is reported in our security advisory on the following page:...
Cross Site Request Forgery - Deleting User's Dashboards
Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to Cross-Site Request Forgery attacks within this URL:...
Cross Site Request Forgery - Deleting User's Dashboards
Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to Cross-Site Request Forgery attacks within this URL:...
Cross Site Request Forgery - Deleting User's Dashboards
Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to Cross-Site Request Forgery attacks within this URL:...
XSS vulnerability in /admin/chooseBuildsToMove.action resource
We have identified and fixed a reflected cross-site scripting XSS vulnerability in the Bamboo chooseBuildsToMove resource. This issue is reported in our security advisory on this page: https://confluence.atlassian.com/x/rQP5FQ You can read more about XSS attacks at:...
XSS vulnerability in /admin/chooseBuildsToMove.action resource
We have identified and fixed a reflected cross-site scripting XSS vulnerability in the Bamboo chooseBuildsToMove resource. This issue is reported in our security advisory on this page: https://confluence.atlassian.com/x/rQP5FQ You can read more about XSS attacks at:...
XSS vulnerability in /agent/configureAgents resource
We have identified and fixed a reflected cross-site scripting XSS vulnerability in the Bamboo configureAgents resource. This issue is reported in our security advisory on this page: https://confluence.atlassian.com/x/rQP5FQ You can read more about XSS attacks at:...
XSS vulnerability in /agent/configureAgents resource
We have identified and fixed a reflected cross-site scripting XSS vulnerability in the Bamboo configureAgents resource. This issue is reported in our security advisory on this page: https://confluence.atlassian.com/x/rQP5FQ You can read more about XSS attacks at:...
XSS vulnerability in /agent/viewAgent.action resource
We have identified and fixed a reflected cross-site scripting XSS vulnerability in the Bamboo viewAgent.action resource. This issue is reported in our security advisory on this page: https://confluence.atlassian.com/x/rQP5FQ You can read more about XSS attacks at:...
XSS vulnerability in /agent/viewAgent.action resource
We have identified and fixed a reflected cross-site scripting XSS vulnerability in the Bamboo viewAgent.action resource. This issue is reported in our security advisory on this page: https://confluence.atlassian.com/x/rQP5FQ You can read more about XSS attacks at:...
XSS vulnerability in default 'internal server error' page
We have identified and fixed a reflected cross-site scripting XSS vulnerability in the Bamboo default 'internal server error' page. This issue is reported in our security advisory on this page: https://confluence.atlassian.com/x/rQP5FQ You can read more about XSS attacks at:...
XSS vulnerability in default 'internal server error' page
We have identified and fixed a reflected cross-site scripting XSS vulnerability in the Bamboo default 'internal server error' page. This issue is reported in our security advisory on this page: https://confluence.atlassian.com/x/rQP5FQ You can read more about XSS attacks at:...
XSS vulnerability in a user's comment
We have identified and fixed a stored cross-site scripting XSS vulnerability in the FishEye user profile. Affected versions are all versions earlier than 2.5.5 XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attac...
XSS vulnerability in a user's comment
We have identified and fixed a stored cross-site scripting XSS vulnerability in the FishEye user profile. Affected versions are all versions earlier than 2.5.5 XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attac...
XSS vulnerability in user's profile display name
We have identified and fixed a stored cross-site scripting XSS vulnerability in the FishEye user profile. Affected versions are all versions earlier than 2.5.5 XSS vulnerabilities allow an attacker to embed their own JavaScript into a FishEye page. You can read more about XSS attacks at various...
XSS vulnerability in user's profile display name
We have identified and fixed a stored cross-site scripting XSS vulnerability in the FishEye user profile. Affected versions are all versions earlier than 2.5.5 XSS vulnerabilities allow an attacker to embed their own JavaScript into a FishEye page. You can read more about XSS attacks at various...
Secure Section Macro
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-23637. panel This is a suggestion to create a new Macro/Plugin that worked similar to the Column Macro with the major difference...