4195 matches found
Viewfile macros do not respect page restrictions
Add a page Set viewing restrictions to user1 only Add an attachment - 'Sample.doc' Log in as user2 - confirm that you cannot see the restricted page Add a page, and use the viewfile macro Enter the location of the attachment on the restricted page The contents of the attachment can now be viewed ...
Viewfile macros do not respect page restrictions
Add a page Set viewing restrictions to user1 only Add an attachment - 'Sample.doc' Log in as user2 - confirm that you cannot see the restricted page Add a page, and use the viewfile macro Enter the location of the attachment on the restricted page The contents of the attachment can now be viewed ...
CSRF attack message thrown when JSESSIONID is changed
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-15779. panel Symptoms: Anything that is using DWR will fail. Meaning: page editor is fully or partially unusable and it may...
CSRF attack message thrown when JSESSIONID is changed
Symptoms: Anything that is using DWR will fail. Meaning: page editor is fully or partially unusable and it may display the text "Draft saving timed out" on top of the text area. At the same time, the following error messages are printed in the Confluence log: noformat 2009-05-15 08:06:36,011 ERRO...
CSRF attack message thrown when JSESSIONID is changed
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-15779. panel Symptoms: Anything that is using DWR will fail. Meaning: page editor is fully or partially unusable and it may...
Jiraissues add icon mapping configuration is susceptible to XSS
Combined with XSRF susceptibility via CONF-15753; you can craft an attack to get elevated privileges in Confluence. !http://img.skitch.com/20090520-x5gug8e8q5snabtmm2i2kdx1p.jpg!...
Jiraissues add icon mapping configuration is susceptible to XSS
Combined with XSRF susceptibility via CONF-15753; you can craft an attack to get elevated privileges in Confluence. !http://img.skitch.com/20090520-x5gug8e8q5snabtmm2i2kdx1p.jpg!...
Jiraissues add icon mapping configuration is susceptible to XSS
Combined with XSRF susceptibility via CONF-15753; you can craft an attack to get elevated privileges in Confluence. !http://img.skitch.com/20090520-x5gug8e8q5snabtmm2i2kdx1p.jpg!...
Encrypted passwords in osuser.xml
We need to set a crypted password instead plain text password in java.naming.security.credentials within osuser.xml...
Encrypted passwords in osuser.xml
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-17317. panel We need to set a crypted password instead plain text password in java.naming.security.credentials within osuser.xml...
Encrypted passwords in osuser.xml
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-17317. panel We need to set a crypted password instead plain text password in java.naming.security.credentials within osuser.xml...
Prevent global settings from being accidentally overwritten
On a number of occasions, upgrading Extranet has triggered some kind of bug that has caused the global settings to be reset to their default values. The most obvious cause of this is that some piece of code has created a new Settings object and saved it through the settings manager. One way to...
Prevent global settings from being accidentally overwritten
On a number of occasions, upgrading Extranet has triggered some kind of bug that has caused the global settings to be reset to their default values. The most obvious cause of this is that some piece of code has created a new Settings object and saved it through the settings manager. One way to...
Prevent global settings from being accidentally overwritten
On a number of occasions, upgrading Extranet has triggered some kind of bug that has caused the global settings to be reset to their default values. The most obvious cause of this is that some piece of code has created a new Settings object and saved it through the settings manager. One way to...
The i18n in velocity templates does not auto html encode parameters
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-15548. panel All the getText methods on com.atlassian.confluence.util.i18n.DefaultI18NBean are anontated as HtmlSafe which mean...
The i18n in velocity templates does not auto html encode parameters
All the getText methods on com.atlassian.confluence.util.i18n.DefaultI18NBean are anontated as HtmlSafe which means that any parameter which gets passed in as an argument will not be auto html encoded by the Anti-XSS module. The most straight forward way to fix this is to wrap the parameter insid...
The i18n in velocity templates does not auto html encode parameters
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-15548. panel All the getText methods on com.atlassian.confluence.util.i18n.DefaultI18NBean are anontated as HtmlSafe which means...
XSS vulnerability can be exploited with the viewppt macro
Upload a file test.ppt Use markup: noformatviewppt:test.ppt|height=alert"xss"|width=alert"xss"noformat The scripts will be executed when the page is loaded...
XSS vulnerability can be exploited with the viewppt macro
Upload a file test.ppt Use markup: noformatviewppt:test.ppt|height=alert"xss"|width=alert"xss"noformat The scripts will be executed when the page is loaded...
XSS vulnerability can be exploited with the viewppt macro
Upload a file test.ppt Use markup: noformatviewppt:test.ppt|height=alert"xss"|width=alert"xss"noformat The scripts will be executed when the page is loaded...
Shared Filter properties exposed without authentication
Some URLs are not protected by authentication which could expose some properties in JIRA that users may not wish to reveal. Example 1: Searching filters http://support.atlassian.com/secure/ManageFilters.jspa?filterView=search Example 2: Viewing properties of filters. I can see custom fields, sear...
Shared Filter properties exposed without authentication
Some URLs are not protected by authentication which could expose some properties in JIRA that users may not wish to reveal. Example 1: Searching filters http://support.atlassian.com/secure/ManageFilters.jspa?filterView=search Example 2: Viewing properties of filters. I can see custom fields, sear...
Shared Filter properties exposed without authentication
Some URLs are not protected by authentication which could expose some properties in JIRA that users may not wish to reveal. Example 1: Searching filters http://support.atlassian.com/secure/ManageFilters.jspa?filterView=search Example 2: Viewing properties of filters. I can see custom fields, sear...
Issue attachments, need a functionality of Security Schemes
In our JIRA instance both customers and developers have access to issues. We would like to have a security scheme functionality in connection to issue's attachments. In other words, we would like to attach a documentation which would not be visible to customers or other groups of JIRA users...
Issue attachments, need a functionality of Security Schemes
In our JIRA instance both customers and developers have access to issues. We would like to have a security scheme functionality in connection to issue's attachments. In other words, we would like to attach a documentation which would not be visible to customers or other groups of JIRA users...
Import Pages is not restricted to system admins
The Import pages actions is currently restricted to space admins not system admins like it should. Caused by CONF-10039...
Import Pages is not restricted to system admins
The Import pages actions is currently restricted to space admins not system admins like it should. Caused by CONF-10039...
Import Pages is not restricted to system admins
The Import pages actions is currently restricted to space admins not system admins like it should. Caused by CONF-10039...
Partial space admin permission/authority
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-15172. panel I followed these guidelines, but this is not fine grained enough...
Partial space admin permission/authority
I followed these guidelines, but this is not fine grained enough. http://confluence.atlassian.com/display/DOC/Global+Permissions+OverviewGlobalPermissionsOverview-confluenceadmin We need to prevent space admin adding new permission to their space. We prefer to manage space permission by the...
Partial space admin permission/authority
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-15172. panel I followed these guidelines, but this is not fine grained enough...
Update JIRA certificate for Screenshot Applet and others. It expires in June 2009
See https://extranet.atlassian.com/jira/browse/ADM-3253 Move Steves branch into trunk in the process. Also I think the build environment might need direct updating...
Update JIRA certificate for Screenshot Applet and others. It expires in June 2009
See https://extranet.atlassian.com/jira/browse/ADM-3253 Move Steves branch into trunk in the process. Also I think the build environment might need direct updating...
Bright Cove User Macro-Cross-site script
Our e-security found the following error after they scanned the Bright Cove User Macro: Number System/Location Defect Type Status R4 Bright Cove User Macro Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies,...
Bright Cove User Macro-Cross-site script
Our e-security found the following error after they scanned the Bright Cove User Macro: Number System/Location Defect Type Status R4 Bright Cove User Macro Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies,...
Bright Cove User Macro-Cross-site script
Our e-security found the following error after they scanned the Bright Cove User Macro: Number System/Location Defect Type Status R4 Bright Cove User Macro Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies,...
Cache Plugin -Cross-site script error
Our e-security department found the error below after scanning the Cache Plugin: Number System/Location Defect Type Status R3 Cache Plugin Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies, which may be use...
Cache Plugin -Cross-site script error
Our e-security department found the error below after scanning the Cache Plugin: Number System/Location Defect Type Status R3 Cache Plugin Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies, which may be use...
Cache Plugin -Cross-site script error
Our e-security department found the error below after scanning the Cache Plugin: Number System/Location Defect Type Status R3 Cache Plugin Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies, which may be use...
Reporting Plugin- Cross-site scripting error
Our e-security found the following error for the Reporting plugin: Number System/Location Defect Type Status R2 Reporting Plugin Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies, which may be used to...
Reporting Plugin- Cross-site scripting error
Our e-security found the following error for the Reporting plugin: Number System/Location Defect Type Status R2 Reporting Plugin Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies, which may be used to...
Reporting Plugin- Cross-site scripting error
Our e-security found the following error for the Reporting plugin: Number System/Location Defect Type Status R2 Reporting Plugin Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies, which may be used to...
Latex Plugin-Cross-site Scripting Error
Our security group scanned the plugin below and found the following issue for the Latex Plugin: Number System/Location Defect Type Status R1 Latex Plugin Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies,...
Latex Plugin-Cross-site Scripting Error
Our security group scanned the plugin below and found the following issue for the Latex Plugin: Number System/Location Defect Type Status R1 Latex Plugin Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies,...
Latex Plugin-Cross-site Scripting Error
Our security group scanned the plugin below and found the following issue for the Latex Plugin: Number System/Location Defect Type Status R1 Latex Plugin Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies,...
Vulnerable and pointless password storage on client computers
Given the following: -http://confluence.atlassian.com/display/DOC/Confluence+Cookies, which says "a one-way hash of the user's password" is stored in a browser cookie on the user's computer. -CSP-29692 case I opened with Atlassian support, which explained that EncryptionUtils.java is used to...
Vulnerable and pointless password storage on client computers
Given the following: -http://confluence.atlassian.com/display/DOC/Confluence+Cookies, which says "a one-way hash of the user's password" is stored in a browser cookie on the user's computer. -CSP-29692 case I opened with Atlassian support, which explained that EncryptionUtils.java is used to...
JIRA build information not included in dummy XML responses to search filter requests which users do not have access to
The build-info element is missing from the response to search filter XML requests. noformat https://support.atlassian.com/sr/jira.issueviews:searchrequest-xml/10593/SearchRequest-10593.xml?tempMax=100 noformat Happens if the user does not have access to the filter. See also...
JIRA build information not included in dummy XML responses to search filter requests which users do not have access to
The build-info element is missing from the response to search filter XML requests. noformat https://support.atlassian.com/sr/jira.issueviews:searchrequest-xml/10593/SearchRequest-10593.xml?tempMax=100 noformat Happens if the user does not have access to the filter. See also...
JIRA build information not included in dummy XML responses to search filter requests which users do not have access to
The build-info element is missing from the response to search filter XML requests. noformat https://support.atlassian.com/sr/jira.issueviews:searchrequest-xml/10593/SearchRequest-10593.xml?tempMax=100 noformat Happens if the user does not have access to the filter. See also...