XSS vulnerability in Crucible Author Mapping

We have identified and fixed a cross-site scripting XSS vulnerability in the Crucible Author Mapping. Affected versions are Crucible 2.4.5 to 2.5.0 inclusive. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye/Crucible page. You can read more about XSS...

XSS vulnerability in Crucible's Snippets

We have identified and fixed a cross-site scripting XSS vulnerability in the Crucible Snippets. Affected versions are Crucible 2.4.5 to 2.5.0 inclusive. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye/Crucible page. You can read more about XSS attack...

XSS vulnerability in Crucible's Snippets

We have identified and fixed a cross-site scripting XSS vulnerability in the Crucible Snippets. Affected versions are Crucible 2.4.5 to 2.5.0 inclusive. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a FishEye/Crucible page. You can read more about XSS attack...

Seraph in Confluence 3.5 environment no longer able to instantiate custom authenticator

Customer using custom authenticator no longer works in Confluence 3.5 despite updates to latest API, latest Atlassian SDK, and building against Confluence 3.5 and embedded Crowd. See attached error log from customer. In brief, error is: noformat Caused by:...

Seraph in Confluence 3.5 environment no longer able to instantiate custom authenticator

Customer using custom authenticator no longer works in Confluence 3.5 despite updates to latest API, latest Atlassian SDK, and building against Confluence 3.5 and embedded Crowd. See attached error log from customer. In brief, error is: noformat Caused by:...

Seraph in Confluence 3.5 environment no longer able to instantiate custom authenticator

Customer using custom authenticator no longer works in Confluence 3.5 despite updates to latest API, latest Atlassian SDK, and building against Confluence 3.5 and embedded Crowd. See attached error log from customer. In brief, error is: noformat Caused by:...

Searching within restricted pages/spaces

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-22074. panel This is the issue reference:...

Searching within restricted pages/spaces

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-22074. panel This is the issue reference:...

Searching within restricted pages/spaces

This is the issue reference: https://support.atlassian.com/browse/CSP-59005?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel I wanted a feature wherein a user can search within spaces or pages that he/she does not have access to. There are some pages that I do not want everyone t...

Profile picture thumbnail generation can consume unlimited amount of memory

Discovered a Studio customer, you can upload a very large profile picture to expose the same problem as CONF-21480, just in a different area of the application. We should limit the size of images we're willing to load into memory to avoid this problem with user pictures...

Profile picture thumbnail generation can consume unlimited amount of memory

Discovered a Studio customer, you can upload a very large profile picture to expose the same problem as CONF-21480, just in a different area of the application. We should limit the size of images we're willing to load into memory to avoid this problem with user pictures...

Profile picture thumbnail generation can consume unlimited amount of memory

Discovered a Studio customer, you can upload a very large profile picture to expose the same problem as CONF-21480, just in a different area of the application. We should limit the size of images we're willing to load into memory to avoid this problem with user pictures...

XSRF token broken when you edit an Issue Type Scheme

If you click the Edit link beside the currently selected Issue Type Scheme on a Project Summary page and then click Save on the next screen you get an XSRF token missing error...

XSRF token broken when you edit an Issue Type Scheme

If you click the Edit link beside the currently selected Issue Type Scheme on a Project Summary page and then click Save on the next screen you get an XSRF token missing error...

XSRF token broken when you edit an Issue Type Scheme

If you click the Edit link beside the currently selected Issue Type Scheme on a Project Summary page and then click Save on the next screen you get an XSRF token missing error...

Cache Crowd Authentication on the client side

Jira is very chatty with Crowd, see: https://support.atlassian.com/browse/CWDSUP-4148 One request is sent to crowd per request into jira. Something like: com.atlassian.crowd.integration.service.cache.CacheAwareAuthenticationManager should be used. We have a similar issue with Confluence...

Cache Crowd Authentication on the client side

Jira is very chatty with Crowd, see: https://support.atlassian.com/browse/CWDSUP-4148 One request is sent to crowd per request into jira. Something like: com.atlassian.crowd.integration.service.cache.CacheAwareAuthenticationManager should be used. We have a similar issue with Confluence...

Remember Me filter not working for FishEye/Crucible

The current implementation of the FishEye filter still require that the Remember Me cookie have the encrypted credentials for the user, what is no longer true as that pose a major security vulnerability. The filter should rely on the JIRA Remember Me funcionality. If the user logged in using the...

Remember Me filter not working for FishEye/Crucible

The current implementation of the FishEye filter still require that the Remember Me cookie have the encrypted credentials for the user, what is no longer true as that pose a major security vulnerability. The filter should rely on the JIRA Remember Me funcionality. If the user logged in using the...

Ability to perform a bulk random password reset for users per project

Would like to have the ability to perform a bulk password reset on user accounts for any particular JIRA project. Have recently received a request from a customer to perform this operation on their project. I did raise a support call JSP-73240 and was recommended to raise a New Feature Request...

Ability to perform a bulk random password reset for users per project

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-23703. panel Would like to have the ability to perform a bulk password reset on user accounts for any particular JIRA project. Have recently...

Ability to perform a bulk random password reset for users per project

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-23703. panel Would like to have the ability to perform a bulk password reset on user accounts for any particular JIRA project. Have recently...

User Enumeration

Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that at least two vulnerabilities regarding User Enumeration were found within the software. Case 1: Logged In Whenever a logged user accesses the Url...

User Enumeration

Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that at least two vulnerabilities regarding User Enumeration were found within the software. Case 1: Logged In Whenever a logged user accesses the Url...

User Enumeration

Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that at least two vulnerabilities regarding User Enumeration were found within the software. Case 1: Logged In Whenever a logged user accesses the Url...

XSS vulnerability in the action links of Confluence's attachments lists.

We have identified and fixed a cross-site scripting XSS vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about...

XSS vulnerability in the action links of Confluence's attachments lists.

We have identified and fixed a cross-site scripting XSS vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about...

XSS vulnerability in the action links of Confluence's attachments lists.

We have identified and fixed a cross-site scripting XSS vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about...

Deleting a user does not remove the user from its LDAP group

Jira team: I believe this to be a JIRA bug because this scenario does not reproduce in Confluence when it is linked to Crowd. - Add an LDAP directory to Crowd. Make sure to have the "jira-users", "jira-administrators" and "jira-developers" groups exist in LDAP. - Add Crowd Server as a directory t...

Deleting a user does not remove the user from its LDAP group

Jira team: I believe this to be a JIRA bug because this scenario does not reproduce in Confluence when it is linked to Crowd. - Add an LDAP directory to Crowd. Make sure to have the "jira-users", "jira-administrators" and "jira-developers" groups exist in LDAP. - Add Crowd Server as a directory t...

Deleting a user does not remove the user from its LDAP group

Jira team: I believe this to be a JIRA bug because this scenario does not reproduce in Confluence when it is linked to Crowd. - Add an LDAP directory to Crowd. Make sure to have the "jira-users", "jira-administrators" and "jira-developers" groups exist in LDAP. - Add Crowd Server as a directory t...

Lock account after multiple login failure

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-23412. panel For security purposes, it is desirable to have a mechanism to lock an account if the user attempted multiple login...

Lock account after multiple login failure

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-23412. panel For security purposes, it is desirable to have a mechanism to lock an account if the user attempted multiple login unsuccessfull...

Lock account after multiple login failure

For security purposes, it is desirable to have a mechanism to lock an account if the user attempted multiple login unsuccessfully. Perhaps something like what they are doing here: http://jira.codehaus.org/browse/CONTINUUM-796 See also:...

Admin menu items displayed to non-admins when accessing "Global Templates" page

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-21562. panel When accessing the "Global Templates" menu as a non-admin, the navigation controls for the administration panel ar...

Admin menu items displayed to non-admins when accessing "Global Templates" page

When accessing the "Global Templates" menu as a non-admin, the navigation controls for the administration panel are displayed. The links cannot be used without entering new credentials, but it would be more consistent to hide the links from non-admins, just as we hide "System Administrator" links...

Admin menu items displayed to non-admins when accessing "Global Templates" page

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-21562. panel When accessing the "Global Templates" menu as a non-admin, the navigation controls for the administration panel are...

Add warning to Shared Dashboards explaining consequence of 'everyone'

In JRA-22207, a warning was added to the "Shared Filters" page explaining what "Everyone" actually means. The "Shared Dashboards" screen also needs this warning. Please also search in the code for anywhere else this permissions-setting control is used...

Add warning to Shared Dashboards explaining consequence of 'everyone'

In JRA-22207, a warning was added to the "Shared Filters" page explaining what "Everyone" actually means. The "Shared Dashboards" screen also needs this warning. Please also search in the code for anywhere else this permissions-setting control is used...

Add warning to Shared Dashboards explaining consequence of 'everyone'

In JRA-22207, a warning was added to the "Shared Filters" page explaining what "Everyone" actually means. The "Shared Dashboards" screen also needs this warning. Please also search in the code for anywhere else this permissions-setting control is used...

Basic auth authentication does not allow files to be attached in 4.2

From the customer support case quote When using osauthType=basic to login to JIRA 4.2 a user is able to upload an attachment as a temporary file, but is unable to attach the temporary file to the issue. We noticed the exact same behavior ... had worked with JIRA 4.1.2. quote The Atlassian support...

Basic auth authentication does not allow files to be attached in 4.2

From the customer support case quote When using osauthType=basic to login to JIRA 4.2 a user is able to upload an attachment as a temporary file, but is unable to attach the temporary file to the issue. We noticed the exact same behavior ... had worked with JIRA 4.1.2. quote The Atlassian support...

Basic auth authentication does not allow files to be attached in 4.2

From the customer support case quote When using osauthType=basic to login to JIRA 4.2 a user is able to upload an attachment as a temporary file, but is unable to attach the temporary file to the issue. We noticed the exact same behavior ... had worked with JIRA 4.1.2. quote The Atlassian support...

XSS vulnerability in Create Space Button macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence create-space-button macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including...

XSS vulnerability in Create Space Button macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence create-space-button macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including...

XSS vulnerability in Create Space Button macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence create-space-button macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including...

XSS vulnerability in Pagetree macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence pagetree macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...

XSS vulnerability in Pagetree macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence pagetree macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...

XSS vulnerability in Pagetree macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence pagetree macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...

XSS vulnerability in Recently Updated macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence recently-updated macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these...