Hidden pages' content can be viewed without permission using copypage.action

If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL. EG: Two spaces A and B Page with id 1 is in Space A User cannot see Space A User can see Space B The following URL will allo...

The TrustedApplicationsFilter doesn't work for /rpc/* URLs

The sessioninview filter doesn't cover rpc URLs I think because this meant that RPC actions didn't show up in the DB until the response what completely written This means that lazily loaded data returned by the HibernateTrustedApplicationDao causes problems when the TrustedApplicationsFilter trie...

The TrustedApplicationsFilter doesn't work for /rpc/* URLs

The sessioninview filter doesn't cover rpc URLs I think because this meant that RPC actions didn't show up in the DB until the response what completely written This means that lazily loaded data returned by the HibernateTrustedApplicationDao causes problems when the TrustedApplicationsFilter trie...

The TrustedApplicationsFilter doesn't work for /rpc/* URLs

The sessioninview filter doesn't cover rpc URLs I think because this meant that RPC actions didn't show up in the DB until the response what completely written This means that lazily loaded data returned by the HibernateTrustedApplicationDao causes problems when the TrustedApplicationsFilter trie...

Confluence breaks SSO integration (PATCH)

A long time ago when I wrote our authenticator for wikis.sun.com, I noticed that under some circumstances our SSO server didn't redirect back to wikis.sun.com correctly. It redirected to a confluence URI without specifying the host and the domain, which resulted in the browser ending up on our SS...

Confluence breaks SSO integration (PATCH)

A long time ago when I wrote our authenticator for wikis.sun.com, I noticed that under some circumstances our SSO server didn't redirect back to wikis.sun.com correctly. It redirected to a confluence URI without specifying the host and the domain, which resulted in the browser ending up on our SS...

Confluence breaks SSO integration (PATCH)

A long time ago when I wrote our authenticator for wikis.sun.com, I noticed that under some circumstances our SSO server didn't redirect back to wikis.sun.com correctly. It redirected to a confluence URI without specifying the host and the domain, which resulted in the browser ending up on our SS...

Restrict the transmission of Confluence version details

I noticed that on several installs, Confluence by default displays its full version number and sometimes build number to the world. It is a commonly accepted web security practice to withhold all product details, including version information, except to users on a "need to know" basis. Otherwise,...

Restrict the transmission of Confluence version details

I noticed that on several installs, Confluence by default displays its full version number and sometimes build number to the world. It is a commonly accepted web security practice to withhold all product details, including version information, except to users on a "need to know" basis. Otherwise,...

Do not release details about securrity vulnerabilities until after the fix was available for a reasonable period of time

It is an unfortunate practice at Atlassian to as a part of release notes release all the information, often including example exploits|http://jira.atlassian.com/browse/CONF-9350, about security vulnerabilities that were fixed in the version being released. This gives us great headaches because: w...

Do not release details about securrity vulnerabilities until after the fix was available for a reasonable period of time

It is an unfortunate practice at Atlassian to as a part of release notes release all the information, often including example exploits|http://jira.atlassian.com/browse/CONF-9350, about security vulnerabilities that were fixed in the version being released. This gives us great headaches because: w...

Security Vulnerability in xwork, need to update to fixed version

see http://cwiki.apache.org/confluence/display/WW/S2-003 confluence currently using v1.0.3. 1.0.x branch was not yet patched so we cannot upgrade straight away. Don B is working on releasing the fix...

Security Vulnerability in xwork, need to update to fixed version

see http://cwiki.apache.org/confluence/display/WW/S2-003 confluence currently using v1.0.3. 1.0.x branch was not yet patched so we cannot upgrade straight away. Don B is working on releasing the fix...

XSS using onerror

We had a user enter a viagra ad that actual redirected to their site. I think the offending code was here: although obviously they didn't use example.com I've attached the whole page for examination...

XSS using onerror

We had a user enter a viagra ad that actual redirected to their site. I think the offending code was here: although obviously they didn't use example.com I've attached the whole page for examination...

XSS using onerror

We had a user enter a viagra ad that actual redirected to their site. I think the offending code was here: although obviously they didn't use example.com I've attached the whole page for examination...

SSO credentials not used in IssueViewURLHandler

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-15048. panel A customer has created a SSO plugin and are facing some specific issues in this context. When they click on the printable link o...

SSO credentials not used in IssueViewURLHandler

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-15048. panel A customer has created a SSO plugin and are facing some specific issues in this context. When they click on the printable link ...

SSO credentials not used in IssueViewURLHandler

A customer has created a SSO plugin and are facing some specific issues in this context. When they click on the printable link of an issue i.e: http://jira/lodh/si/jira.issueviews:issue-html/ORGJIRA-13/ORGJIRA-13.html they get an error page indicating "the user myuser... doesn't exist..." They...

XSS vulnerability in create/edit/copy page and blogpost actions

panelThe following create/edit page URL's are vulnerable: - /pages/createpage.action - /pages/docreatepage.action - /pages/editpage.action - /pages/doeditepage.action on parentPageString panel Example of a maliciously crafted path:...

XSS vulnerability in create/edit/copy page and blogpost actions

panelThe following create/edit page URL's are vulnerable: - /pages/createpage.action - /pages/docreatepage.action - /pages/editpage.action - /pages/doeditepage.action on parentPageString panel Example of a maliciously crafted path:...

XSS vulnerability in create/edit/copy page and blogpost actions

panelThe following create/edit page URL's are vulnerable: - /pages/createpage.action - /pages/docreatepage.action - /pages/editpage.action - /pages/doeditepage.action on parentPageString panel Example of a maliciously crafted path:...

XSS in DWR

Confluence still uses DWR 1.1.4. This version contains a Cross Site Scripting Vulnerability in the handling of error messages. Example...

XSS in DWR

Confluence still uses DWR 1.1.4. This version contains a Cross Site Scripting Vulnerability in the handling of error messages. Example...

XSS in DWR

Confluence still uses DWR 1.1.4. This version contains a Cross Site Scripting Vulnerability in the handling of error messages. Example...

Manage Watchers shows users with no permission

We have just upgraded to Jira 3.12.2 and like the new functionality when adding watchers to an issue. There is one problem with this though. It is showing all users, including users with no permissions. This means that all employees that stopped working here will show in the drop down. We do not...

Manage Watchers shows users with no permission

We have just upgraded to Jira 3.12.2 and like the new functionality when adding watchers to an issue. There is one problem with this though. It is showing all users, including users with no permissions. This means that all employees that stopped working here will show in the drop down. We do not...

Implement login using google Authentication

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-14866. panel We are a small company , and we are using Google for mail , calender etc ... For now we are using open ldap to authenticate user...

Implement login using google Authentication

We are a small company , and we are using Google for mail , calender etc ... For now we are using open ldap to authenticate users for our Jira But we would like to have a sort of SSO , using google users and password It will be great to be able to configure Jira , to check the users password...

Implement login using google Authentication

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-14866. panel We are a small company , and we are using Google for mail , calender etc ... For now we are using open ldap to authenticate use...

Remember my password with LDAP

At the login screen, when we click on 'Remember my login on this computer' and login, everything works well. When we close the browser without logout, the login should be remember on this computer. When we try to get back into Jira, here's the bug that we have into our log file. 2008-04-22...

Remember my password with LDAP

At the login screen, when we click on 'Remember my login on this computer' and login, everything works well. When we close the browser without logout, the login should be remember on this computer. When we try to get back into Jira, here's the bug that we have into our log file. 2008-04-22...

Remember my password with LDAP

At the login screen, when we click on 'Remember my login on this computer' and login, everything works well. When we close the browser without logout, the login should be remember on this computer. When we try to get back into Jira, here's the bug that we have into our log file. 2008-04-22...

XSS vulnerability in viewinfo.action

Referrer URLs are not encoded in viewinfo.vm...

XSS vulnerability in viewinfo.action

Referrer URLs are not encoded in viewinfo.vm...

XSS vulnerability in viewinfo.action

Referrer URLs are not encoded in viewinfo.vm...

Users can move attachments to a space they have no permission for

Any user with permission to edit pages in a space can move attachments in that space to any page in Confluence. Eg: suppose we have a user named StandardUser who has permission to edit pages in GeneralSpace, but no permission to view or edit RestrictedSpace, which contains a page predictably name...

Users can move attachments to a space they have no permission for

Any user with permission to edit pages in a space can move attachments in that space to any page in Confluence. Eg: suppose we have a user named StandardUser who has permission to edit pages in GeneralSpace, but no permission to view or edit RestrictedSpace, which contains a page predictably name...

Users can move attachments to a space they have no permission for

Any user with permission to edit pages in a space can move attachments in that space to any page in Confluence. Eg: suppose we have a user named StandardUser who has permission to edit pages in GeneralSpace, but no permission to view or edit RestrictedSpace, which contains a page predictably name...

Some users' logins are not remembered using Tomcat

When using Confluence, and Tomcat 5.5.26 or Tomcat 6 some users may find that their logins are not remembered. This is because of a bug in Tomcat's cookie handling. This is logged against the Atlassian Seraph library used by Confluence as SER-117. SER-117 has been fixed, so we "just" need to use ...

Some users' logins are not remembered using Tomcat

When using Confluence, and Tomcat 5.5.26 or Tomcat 6 some users may find that their logins are not remembered. This is because of a bug in Tomcat's cookie handling. This is logged against the Atlassian Seraph library used by Confluence as SER-117. SER-117 has been fixed, so we "just" need to use ...

Some users' logins are not remembered using Tomcat

When using Confluence, and Tomcat 5.5.26 or Tomcat 6 some users may find that their logins are not remembered. This is because of a bug in Tomcat's cookie handling. This is logged against the Atlassian Seraph library used by Confluence as SER-117. SER-117 has been fixed, so we "just" need to use ...

It's possible to browse project names when using Issue Security Scheme.

A customer user is set up and only allowed to see "External" issues. - The user is added as project role "Customers" in project "X". - The project got Issue Security Scheme "Customers". Internal / External When logging in as the customer user, you can only see the External issues within this...

It's possible to browse project names when using Issue Security Scheme.

A customer user is set up and only allowed to see "External" issues. - The user is added as project role "Customers" in project "X". - The project got Issue Security Scheme "Customers". Internal / External When logging in as the customer user, you can only see the External issues within this...

It's possible to browse project names when using Issue Security Scheme.

A customer user is set up and only allowed to see "External" issues. - The user is added as project role "Customers" in project "X". - The project got Issue Security Scheme "Customers". Internal / External When logging in as the customer user, you can only see the External issues within this...

Change issue Security Level on Transition

We need a way to automatically change the Security Level of an issue when it is transitioned. Currently our project is has a default Security Level that only allows the assignee and management to see an issue, we would like to automatically open that issue up once it is fixed...

Change issue Security Level on Transition

We need a way to automatically change the Security Level of an issue when it is transitioned. Currently our project is has a default Security Level that only allows the assignee and management to see an issue, we would like to automatically open that issue up once it is fixed...

Session isn't invalidated on logout

When the user logs out the HttpSession isn't invalidated. The important details of the logged in user and other information is correctly cleared but other properties such as user preferences are not. The impact is things like the label's section and location section's openness state isn't correct...

Session isn't invalidated on logout

When the user logs out the HttpSession isn't invalidated. The important details of the logged in user and other information is correctly cleared but other properties such as user preferences are not. The impact is things like the label's section and location section's openness state isn't correct...

Session isn't invalidated on logout

When the user logs out the HttpSession isn't invalidated. The important details of the logged in user and other information is correctly cleared but other properties such as user preferences are not. The impact is things like the label's section and location section's openness state isn't correct...