XSS vulnerability can be exploited with the Userlister macro

Use the following markup: noformatuserlister:groups=alert'Vulerable'noformat Whenever the page is viewed, the script will be executed...

XSS vulnerability can be exploited with the Userlister macro

Use the following markup: noformatuserlister:groups=alert'Vulerable'noformat Whenever the page is viewed, the script will be executed...

Uploading large fonts for PDF export fails with XSRF error

When uploading souizhs.ttf font that we use due to its comprehensive UTF8 support, I'm getting XSRF validation error: quote Your request could not be processed because a required security token was not present in the request. You may need to re-submit the form or reload the page. quote I tried...

Uploading large fonts for PDF export fails with XSRF error

When uploading souizhs.ttf font that we use due to its comprehensive UTF8 support, I'm getting XSRF validation error: quote Your request could not be processed because a required security token was not present in the request. You may need to re-submit the form or reload the page. quote I tried...

Uploading large fonts for PDF export fails with XSRF error

When uploading souizhs.ttf font that we use due to its comprehensive UTF8 support, I'm getting XSRF validation error: quote Your request could not be processed because a required security token was not present in the request. You may need to re-submit the form or reload the page. quote I tried...

XSS bug when unfavouriting a dashboard

When unfavouriting a dashboard with name 'alert'blah';' the javascript is executed. https://extranet.atlassian.com/display/QA/JIRA+Dashboards+Blitz+-+Mark%27s+Findings...

XSS bug when unfavouriting a dashboard

When unfavouriting a dashboard with name 'alert'blah';' the javascript is executed. https://extranet.atlassian.com/display/QA/JIRA+Dashboards+Blitz+-+Mark%27s+Findings...

XSS bug when unfavouriting a dashboard

When unfavouriting a dashboard with name 'alert'blah';' the javascript is executed. https://extranet.atlassian.com/display/QA/JIRA+Dashboards+Blitz+-+Mark%27s+Findings...

Update of jcaptcha

Update version of jcaptcha that we use...

Update of jcaptcha

Update version of jcaptcha that we use...

EPIC FAIL: new user signups result in plain text email with all login details

After signing up to a JIRA instance, I got an email which simply amazed me - it contained: My username My email address My full name My password It was all there, right before me, in a plain-text unencrypted email sent across a public network. WTF?! I'm not sure which universe that's considered a...

EPIC FAIL: new user signups result in plain text email with all login details

After signing up to a JIRA instance, I got an email which simply amazed me - it contained: My username My email address My full name My password It was all there, right before me, in a plain-text unencrypted email sent across a public network. WTF?! I'm not sure which universe that's considered a...

EPIC FAIL: new user signups result in plain text email with all login details

After signing up to a JIRA instance, I got an email which simply amazed me - it contained: My username My email address My full name My password It was all there, right before me, in a plain-text unencrypted email sent across a public network. WTF?! I'm not sure which universe that's considered a...

JQL not respecting Issue Security Level "Project Lead"

While writing TestIssueSecurityLevel I found the following problem: fred is not a Project Lead HSP-3 has Issue Security Level of "Project Lead" only. empty JQL to show all visible issues doesn't show HSP-3. make fred the Project Lead same query: still no HSP-3 however: fred can browse to HSP-3 an...

JQL not respecting Issue Security Level "Project Lead"

While writing TestIssueSecurityLevel I found the following problem: fred is not a Project Lead HSP-3 has Issue Security Level of "Project Lead" only. empty JQL to show all visible issues doesn't show HSP-3. make fred the Project Lead same query: still no HSP-3 however: fred can browse to HSP-3 an...

JQL not respecting Issue Security Level "Project Lead"

While writing TestIssueSecurityLevel I found the following problem: fred is not a Project Lead HSP-3 has Issue Security Level of "Project Lead" only. empty JQL to show all visible issues doesn't show HSP-3. make fred the Project Lead same query: still no HSP-3 however: fred can browse to HSP-3 an...

JIRA should trust itself by default.

Upgrade Seraph and Trusted apps to 2.0.1/2.1. If the CurrentApplication implements TrustedApplication then return it if it is asked for by id...

JIRA should trust itself by default.

Upgrade Seraph and Trusted apps to 2.0.1/2.1. If the CurrentApplication implements TrustedApplication then return it if it is asked for by id...

Upgrade to the latest version of Seraph and Trusted Applications library

Andreas needs to make some improvements to trusted-application behaviour for Gadgets. In order to do this, we need to first get onto the latest version of Seraph where Trusted Applications is split out into a separate library. Also, the new version of Seraph uses a version of oscore library|SER-1...

Upgrade to the latest version of Seraph and Trusted Applications library

Andreas needs to make some improvements to trusted-application behaviour for Gadgets. In order to do this, we need to first get onto the latest version of Seraph where Trusted Applications is split out into a separate library. Also, the new version of Seraph uses a version of oscore library|SER-1...

Allow issue security level to use any custom field that implements UserCFNotificationTypeAware

It would be useful to be able to set the security level on an issue to include everyone who participated on an issue so if you had a security level that was only the reporter and the assignee, if the issue needs to get reassigned the issue could still be seen by the original assignee. The JIRA...

Allow issue security level to use any custom field that implements UserCFNotificationTypeAware

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-18099. panel It would be useful to be able to set the security level on an issue to include everyone who participated on an issue so if you h...

Allow issue security level to use any custom field that implements UserCFNotificationTypeAware

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-18099. panel It would be useful to be able to set the security level on an issue to include everyone who participated on an issue so if you...

Warn about assigning "Anyone" group in Global and Project permissions

Assigning anyone to global permissions such as a "Browse user" is a sure way to shoot yourself in the foot inadvertently. We make a vague mention of it in the documentation https://confluence.atlassian.com/display/JIRA/Managing+Global+Permissions quote if you wish to grant the permission to non...

Warn about assigning "Anyone" group in Global and Project permissions

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-18076. panel Assigning anyone to global permissions such as a "Browse user" is a sure way to shoot yourself in the foot inadvertently. We ma...

Warn about assigning "Anyone" group in Global and Project permissions

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-18076. panel Assigning anyone to global permissions such as a "Browse user" is a sure way to shoot yourself in the foot inadvertently. We mak...

Allow Site Admin to discover restricted pages

A customer mentioned that this functionality is important to have for automation and integration purposes. Currently confluence-administrators are not able to discover restricted pages, despite of their ability to access ie. read the page if they know the url. The customer argued that "this makes...

Allow Site Admin to discover restricted pages

A customer mentioned that this functionality is important to have for automation and integration purposes. Currently confluence-administrators are not able to discover restricted pages, despite of their ability to access ie. read the page if they know the url. The customer argued that "this makes...

XSS in PDF screen

The "PDF Export Stylesheet" field is not encoded...

XSS in PDF screen

The "PDF Export Stylesheet" field is not encoded...

XSS in PDF screen

The "PDF Export Stylesheet" field is not encoded...

Directory traversal in Profile Picture path - leads to privilege escalation in < 3.0

Confluence allows its users to specify a "Profile Picture," an image that appears on many pages related to the user. A user can either upload a custom image, or select one from a set provided by Confluence. Confluence uses the /users/doeditmyprofilepicture.action path to process requests to chang...

Directory traversal in Profile Picture path - leads to privilege escalation in < 3.0

Confluence allows its users to specify a "Profile Picture," an image that appears on many pages related to the user. A user can either upload a custom image, or select one from a set provided by Confluence. Confluence uses the /users/doeditmyprofilepicture.action path to process requests to chang...

Directory traversal in Profile Picture path - leads to privilege escalation in < 3.0

Confluence allows its users to specify a "Profile Picture," an image that appears on many pages related to the user. A user can either upload a custom image, or select one from a set provided by Confluence. Confluence uses the /users/doeditmyprofilepicture.action path to process requests to chang...

XSS vulnerability can be exploited on the WebDAV Configuration page

Steps: Go to WebDAV Configuration Enter 'alert"XSS"' Click on 'Add new regex' button The script will be executed. It will continue to be executed whenever a user clicks on the 'Save' button. This can be done by users in the confluence-admin group, so it could be used by them to gain access to...

XSS vulnerability can be exploited on the WebDAV Configuration page

Steps: Go to WebDAV Configuration Enter 'alert"XSS"' Click on 'Add new regex' button The script will be executed. It will continue to be executed whenever a user clicks on the 'Save' button. This can be done by users in the confluence-admin group, so it could be used by them to gain access to...

XSS vulnerability can be exploited on the WebDAV Configuration page

Steps: Go to WebDAV Configuration Enter 'alert"XSS"' Click on 'Add new regex' button The script will be executed. It will continue to be executed whenever a user clicks on the 'Save' button. This can be done by users in the confluence-admin group, so it could be used by them to gain access to...

XSS vulnerability in space name when page move would create a duplicate

Create a space called alert"XSS"; Find a page named 'Home' in a different space Move this page, choosing the previously created space as the destination The move will fail due to the duplicate page name, and the script will be run...

XSS vulnerability in space name when page move would create a duplicate

Create a space called alert"XSS"; Find a page named 'Home' in a different space Move this page, choosing the previously created space as the destination The move will fail due to the duplicate page name, and the script will be run...

XSS vulnerability in space name when page move would create a duplicate

Create a space called alert"XSS"; Find a page named 'Home' in a different space Move this page, choosing the previously created space as the destination The move will fail due to the duplicate page name, and the script will be run...

XSS vulnerability when moving page between spaces

You can create a space with HTML in the name. In most places this space name is correctly encoded however in the tree component given when you chose to move a page the destination space is name is not encoded properly. To reproduce. 1 Create a space called alert"Howdy"; 2 Create a page in another...

XSS vulnerability when moving page between spaces

You can create a space with HTML in the name. In most places this space name is correctly encoded however in the tree component given when you chose to move a page the destination space is name is not encoded properly. To reproduce. 1 Create a space called alert"Howdy"; 2 Create a page in another...

XSS vulnerability when moving page between spaces

You can create a space with HTML in the name. In most places this space name is correctly encoded however in the tree component given when you chose to move a page the destination space is name is not encoded properly. To reproduce. 1 Create a space called alert"Howdy"; 2 Create a page in another...

XSS in user links

A user with username "alert"foo" that is linked to via \username markup results in script being executed. Curiously, viewing the space homepage of that user results in a blank page. This of course is prevented for public signup, but if the user gets created via other means, i.e. external user...

XSS in user links

A user with username "alert"foo" that is linked to via \username markup results in script being executed. Curiously, viewing the space homepage of that user results in a blank page. This of course is prevented for public signup, but if the user gets created via other means, i.e. external user...

XSS in user links

A user with username "alert"foo" that is linked to via \username markup results in script being executed. Curiously, viewing the space homepage of that user results in a blank page. This of course is prevented for public signup, but if the user gets created via other means, i.e. external user...

XSS in concurrent edit notification

If a page is being editted by noformat alert'hacked' noformat and another user edits it at the same time, they are vulnerable to a potential XSS attack...

XSS in concurrent edit notification

If a page is being editted by noformat alert'hacked' noformat and another user edits it at the same time, they are vulnerable to a potential XSS attack...

XSS in concurrent edit notification

If a page is being editted by noformat alert'hacked' noformat and another user edits it at the same time, they are vulnerable to a potential XSS attack...

Viewfile macros do not respect page restrictions

Add a page Set viewing restrictions to user1 only Add an attachment - 'Sample.doc' Log in as user2 - confirm that you cannot see the restricted page Add a page, and use the viewfile macro Enter the location of the attachment on the restricted page The contents of the attachment can now be viewed ...