restrict the access to JIRA for specific pairs "user account - host"

to be able to restrict the access to JIRA for specific pairs "user account - host" also to provide: 1. specify checkbox user account - "any host" 2. specify multiple hosts for one user account 3. to use Windows AD containers such distribution groups and computer groups in tool of the coding of...

restrict the access to JIRA for specific pairs "user account - host"

to be able to restrict the access to JIRA for specific pairs "user account - host" also to provide: 1. specify checkbox user account - "any host" 2. specify multiple hosts for one user account 3. to use Windows AD containers such distribution groups and computer groups in tool of the coding of...

Can't set visibility on comment created via Activity Stream Gadget

I can't restrict the visibility of an comment created via the activity stream gadget. In our environment it is important for us to have this feature available everywhere where users are able to create comments on issues...

Can't set visibility on comment created via Activity Stream Gadget

I can't restrict the visibility of an comment created via the activity stream gadget. In our environment it is important for us to have this feature available everywhere where users are able to create comments on issues...

Potential attack vector using attachments

Suspicious handling of attachment uploads with filenames containing quotes the quoted ended up being repeated and semicolons semicolon and all subsequent characters were stripped from filename...

Potential attack vector using attachments

Suspicious handling of attachment uploads with filenames containing quotes the quoted ended up being repeated and semicolons semicolon and all subsequent characters were stripped from filename...

Potential attack vector using attachments

Suspicious handling of attachment uploads with filenames containing quotes the quoted ended up being repeated and semicolons semicolon and all subsequent characters were stripped from filename...

XSS vulnerability in Confluence Space Names

We have identified and fixed a cross-site scripting XSS vulnerability in Confluence Space Names. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An attacker's te...

XSS vulnerability in Confluence Space Names

We have identified and fixed a cross-site scripting XSS vulnerability in Confluence Space Names. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An attacker's te...

XSS vulnerability in Confluence Space Names

We have identified and fixed a cross-site scripting XSS vulnerability in Confluence Space Names. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An attacker's te...

Allow anonymous/public access at page level

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-20737. panel Although a space might be restricted to some groups/users, it is sometimes required to allow public/anonymous acce...

Allow anonymous/public access at page level

Although a space might be restricted to some groups/users, it is sometimes required to allow public/anonymous access on a page per page basis within that space. This feature is missing and workarounds like create public spaces just for those pages are not viable...

Allow anonymous/public access at page level

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-20737. panel Although a space might be restricted to some groups/users, it is sometimes required to allow public/anonymous acces...

XSRF vulnerability in the Mail Page plugin

We have identified and fixed a cross-site request forgery XSRF vulnerability which may affect Confluence instances in a public environment. The XSRF vulnerability is exposed in the Confluence Mail Page plugin. Note that the Mail Page plugin is disabled by default. If you do not have this plugin...

XSRF vulnerability in the Mail Page plugin

We have identified and fixed a cross-site request forgery XSRF vulnerability which may affect Confluence instances in a public environment. The XSRF vulnerability is exposed in the Confluence Mail Page plugin. Note that the Mail Page plugin is disabled by default. If you do not have this plugin...

XSRF vulnerability in the Mail Page plugin

We have identified and fixed a cross-site request forgery XSRF vulnerability which may affect Confluence instances in a public environment. The XSRF vulnerability is exposed in the Confluence Mail Page plugin. Note that the Mail Page plugin is disabled by default. If you do not have this plugin...

XSS vulnerability in the Office Connector

We have identified and fixed a cross-site scripting XSS vulnerability which may affect Confluence instances in a public environment. The XSS vulnerability is exposed in the document import function of the Confluence Office Connector. An attacker might take advantage of the vulnerability to steal...

XSS vulnerability in the Office Connector

We have identified and fixed a cross-site scripting XSS vulnerability which may affect Confluence instances in a public environment. The XSS vulnerability is exposed in the document import function of the Confluence Office Connector. An attacker might take advantage of the vulnerability to steal...

XSS vulnerability in the Office Connector

We have identified and fixed a cross-site scripting XSS vulnerability which may affect Confluence instances in a public environment. The XSS vulnerability is exposed in the document import function of the Confluence Office Connector. An attacker might take advantage of the vulnerability to steal...

Confluence should not allow configuration of Office Connector temporary storage location

Earlier versions of Confluence allow the administrator to set the temporary storage location for the View File macro, part of the Office Connector. Provided an attacker has gained administrative access to the system in some way, they could then exploit this vulnerability to save malicious files...

Confluence should not allow configuration of Office Connector temporary storage location

Earlier versions of Confluence allow the administrator to set the temporary storage location for the View File macro, part of the Office Connector. Provided an attacker has gained administrative access to the system in some way, they could then exploit this vulnerability to save malicious files...

Confluence should not allow configuration of Office Connector temporary storage location

Earlier versions of Confluence allow the administrator to set the temporary storage location for the View File macro, part of the Office Connector. Provided an attacker has gained administrative access to the system in some way, they could then exploit this vulnerability to save malicious files...

Path traversal vulnerability in various Confluence actions

We have identified and fixed a path traversal vulnerability in various Confluence actions. By exploiting a path traversal vulnerability, attackers can retrieve any file on the server that is running Confluence, based on the permissions of the user under which Confluence is running. Path traversal...

Path traversal vulnerability in various Confluence actions

We have identified and fixed a path traversal vulnerability in various Confluence actions. By exploiting a path traversal vulnerability, attackers can retrieve any file on the server that is running Confluence, based on the permissions of the user under which Confluence is running. Path traversal...

Path traversal vulnerability in various Confluence actions

We have identified and fixed a path traversal vulnerability in various Confluence actions. By exploiting a path traversal vulnerability, attackers can retrieve any file on the server that is running Confluence, based on the permissions of the user under which Confluence is running. Path traversal...

Property for enabling/disabling viewage of Jira administrators

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-22096. panel As of JRA-21004, it also happened that the Administrator page does not show the administrators anymore. This patch is enables...

Property for enabling/disabling viewage of Jira administrators

As of JRA-21004, it also happened that the Administrator page does not show the administrators anymore. This patch is enables through one property in jira-atlassian.properties, and it resolves severall problems. We would prefer that there is a property like jira.administrators.show=true/false,...

Property for enabling/disabling viewage of Jira administrators

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-22096. panel As of JRA-21004, it also happened that the Administrator page does not show the administrators anymore. This patch is enables...

websudo annotation backwards compatibility (Confluence 3.3)

Following this guide|http://confluence.atlassian.com/pages/viewpage.action?pageId=219021702, I started to use the websudo annotations to secure an XWork action that would process a form in the space admin tab. The plugin is meant to work with Confluence 3.3 and I haven't released a public version...

websudo annotation backwards compatibility (Confluence 3.3)

Following this guide|http://confluence.atlassian.com/pages/viewpage.action?pageId=219021702, I started to use the websudo annotations to secure an XWork action that would process a form in the space admin tab. The plugin is meant to work with Confluence 3.3 and I haven't released a public version...

Replace unsafe text gadget and add to JIRA Cloud

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-21965. panel panel:title=Atlassian Update - 23 April 2015|borderStyle=solid|borderColor=ebf2f9|titleBGColor=ebf2f9|bgColor=ffffff Hi everyone...

Replace unsafe text gadget and add to JIRA Cloud

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-21965. panel panel:title=Atlassian Update - 23 April 2015|borderStyle=solid|borderColor=ebf2f9|titleBGColor=ebf2f9|bgColor=ffffff Hi everyon...

Replace unsafe text gadget and add to JIRA Cloud

panel:title=Atlassian Update - 23 April 2015|borderStyle=solid|borderColor=ebf2f9|titleBGColor=ebf2f9|bgColor=ffffff Hi everyone, There is an add-on from Atlassian Labs that provides a rich text dashboard gadget for JIRA Cloud. You can find it by searching for "rich text gadget" in the Find New...

Display Last-Login-Date for the User

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-21933. panel Dear Atlassian! I don't know whether a ticket like this already exits or was solved, but I couln't find any. We would like to ha...

Display Last-Login-Date for the User

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-21933. panel Dear Atlassian! I don't know whether a ticket like this already exits or was solved, but I couln't find any. We would like to...

Display Last-Login-Date for the User

Dear Atlassian! I don't know whether a ticket like this already exits or was solved, but I couln't find any. We would like to have displayed for any user after he logged in the time when he logged in before. This helps to find out whether someone else got hold of username&password and uses the...

Secure Administrator Sessions feature can be bypassed

In some circumstances an attacker may be able to craft a request to a Confluence server that bypasses the additional layer of security added by the new Secure Administrator Sessions feature introduced in Confluence 3.3. This would allow an attacker to perform administrative functions on Confluenc...

Secure Administrator Sessions feature can be bypassed

In some circumstances an attacker may be able to craft a request to a Confluence server that bypasses the additional layer of security added by the new Secure Administrator Sessions feature introduced in Confluence 3.3. This would allow an attacker to perform administrative functions on Confluenc...

Secure Administrator Sessions feature can be bypassed

In some circumstances an attacker may be able to craft a request to a Confluence server that bypasses the additional layer of security added by the new Secure Administrator Sessions feature introduced in Confluence 3.3. This would allow an attacker to perform administrative functions on Confluenc...

NullPointerException when there are no cookies and AccessLogRequestInfo is enabled

When using the filter-list and project-list plugins I ran into an issue where NullPointerExceptions were being thrown. I turned out the issue is in AccessLogRequestInfo when the Cookie header doesn't exists. The line that causes the exception is a log.debug line. I am including a patch that check...

NullPointerException when there are no cookies and AccessLogRequestInfo is enabled

When using the filter-list and project-list plugins I ran into an issue where NullPointerExceptions were being thrown. I turned out the issue is in AccessLogRequestInfo when the Cookie header doesn't exists. The line that causes the exception is a log.debug line. I am including a patch that check...

NullPointerException when there are no cookies and AccessLogRequestInfo is enabled

When using the filter-list and project-list plugins I ran into an issue where NullPointerExceptions were being thrown. I turned out the issue is in AccessLogRequestInfo when the Cookie header doesn't exists. The line that causes the exception is a log.debug line. I am including a patch that check...

NullPointerException when Switching between Projects or Boards

In my case, the WEB-INF/classes/log4j.properties included has these loggers turned off, but they still seem to run. I am including a patch that ignores the NullPointerException following the pattern of ignoring the ClassNotFoundException. Details below taken from:...

NullPointerException when Switching between Projects or Boards

In my case, the WEB-INF/classes/log4j.properties included has these loggers turned off, but they still seem to run. I am including a patch that ignores the NullPointerException following the pattern of ignoring the ClassNotFoundException. Details below taken from:...

NullPointerException when Switching between Projects or Boards

In my case, the WEB-INF/classes/log4j.properties included has these loggers turned off, but they still seem to run. I am including a patch that ignores the NullPointerException following the pattern of ignoring the ClassNotFoundException. Details below taken from:...

Enable Web Sudo to work with other single-sign-on solutions

Customers with some of the unsupported single sign-on solutions|http://confluence.atlassian.com/display/DEV/Single+Sign-on+Integration+with+JIRA+and+Confluence can't easily upgrade to Confluence 3.3 because WebSudo doesn't handle external SSO solutions. See this example:...

Enable Web Sudo to work with other single-sign-on solutions

Customers with some of the unsupported single sign-on solutions|http://confluence.atlassian.com/display/DEV/Single+Sign-on+Integration+with+JIRA+and+Confluence can't easily upgrade to Confluence 3.3 because WebSudo doesn't handle external SSO solutions. See this example:...

Enable Web Sudo to work with other single-sign-on solutions

Customers with some of the unsupported single sign-on solutions|http://confluence.atlassian.com/display/DEV/Single+Sign-on+Integration+with+JIRA+and+Confluence can't easily upgrade to Confluence 3.3 because WebSudo doesn't handle external SSO solutions. See this example:...

sudo is decorated with global decorator

The reasoning behind preventing theme developers from theming the admin areas was because if you don't know what you are doing then you can mess things up to such an extent that you are unable to use confluence. By decorating the sudo login pages using the global decorator it exposes the user to...

sudo is decorated with global decorator

The reasoning behind preventing theme developers from theming the admin areas was because if you don't know what you are doing then you can mess things up to such an extent that you are unable to use confluence. By decorating the sudo login pages using the global decorator it exposes the user to...