Different IE browser windows have different sessions and different session timeout timing

One of our user reported the following: ---- I discovered the reason why JIRA sometimes closes my IE session, it depends on the way you login: 1 When you login via navigation to your home page http://support/jira/secure/Dashboard.jspa all is ok, multiple JIRA sessions never expire. 2 When you log...

JIRA Portlet Macro not displaying when authenticating using the trusted application between JIRA and Confluence

We're having issues using the JIRA portlet macro jiraportlet on pages inside Confluence. Whenever we try to use this macro using the trust between JIRA and Confluence for authentication, the macro does not display on the page. There aren't any errors, it just doesn't appear. code...

JIRA Portlet Macro not displaying when authenticating using the trusted application between JIRA and Confluence

We're having issues using the JIRA portlet macro jiraportlet on pages inside Confluence. Whenever we try to use this macro using the trust between JIRA and Confluence for authentication, the macro does not display on the page. There aren't any errors, it just doesn't appear. code...

JIRA Portlet Macro not displaying when authenticating using the trusted application between JIRA and Confluence

We're having issues using the JIRA portlet macro jiraportlet on pages inside Confluence. Whenever we try to use this macro using the trust between JIRA and Confluence for authentication, the macro does not display on the page. There aren't any errors, it just doesn't appear. code...

Upgrade standalone Tomcat to 5.5.25

We should bundle the latest version of Tomcat with standalone to pick up some fixes including the security vulnerability detailed at: https://vulners.com/cve/CVE-2007-3382 https://vulners.com/cve/CVE-2007-3385...

Upgrade standalone Tomcat to 5.5.25

We should bundle the latest version of Tomcat with standalone to pick up some fixes including the security vulnerability detailed at: https://vulners.com/cve/CVE-2007-3382 https://vulners.com/cve/CVE-2007-3385...

Moving a subtask Issue Type will sometimes ask the user for a Security Level even though this value is inherited from the Parent Issue.

When you move a subtask from an Issue Type where Security Level is a hidden field, to one where Security Level is no longer hidden, the system can mistakenly ask the User for a new Security Level. This is only a minor issue, as then the subtask will not actually take on the chosen value - it will...

Moving a subtask Issue Type will sometimes ask the user for a Security Level even though this value is inherited from the Parent Issue.

When you move a subtask from an Issue Type where Security Level is a hidden field, to one where Security Level is no longer hidden, the system can mistakenly ask the User for a new Security Level. This is only a minor issue, as then the subtask will not actually take on the chosen value - it will...

Moving a subtask Issue Type will sometimes ask the user for a Security Level even though this value is inherited from the Parent Issue.

When you move a subtask from an Issue Type where Security Level is a hidden field, to one where Security Level is no longer hidden, the system can mistakenly ask the User for a new Security Level. This is only a minor issue, as then the subtask will not actually take on the chosen value - it will...

Security vulnerability with Dashboard spacesSelectedTab

Our security team has reported the following vulnerability, which must be resolved for us to use the application. Severity: High Test Type: Application Vulnerable URL: https://gforgewiki.nci.nih.gov/dashboard.action Parameter = spacesSelectedTab Remediation Tasks: Filter out hazardous characters...

Security vulnerability with Dashboard spacesSelectedTab

Our security team has reported the following vulnerability, which must be resolved for us to use the application. Severity: High Test Type: Application Vulnerable URL: https://gforgewiki.nci.nih.gov/dashboard.action Parameter = spacesSelectedTab Remediation Tasks: Filter out hazardous characters...

Security vulnerability with Dashboard spacesSelectedTab

Our security team has reported the following vulnerability, which must be resolved for us to use the application. Severity: High Test Type: Application Vulnerable URL: https://gforgewiki.nci.nih.gov/dashboard.action Parameter = spacesSelectedTab Remediation Tasks: Filter out hazardous characters...

XSS vulnerability in recently updated and configure RSS feed actions

Our eSecurity team has identified a Cross Site Scripting issue with the confluence server as follows: Arbirtatry javascript can be injected in the following cases which can lead to escalated or invalid privileges being granted to an unauthorized user: 1...

XSS vulnerability in recently updated and configure RSS feed actions

Our eSecurity team has identified a Cross Site Scripting issue with the confluence server as follows: Arbirtatry javascript can be injected in the following cases which can lead to escalated or invalid privileges being granted to an unauthorized user: 1...

XSS vulnerability in recently updated and configure RSS feed actions

Our eSecurity team has identified a Cross Site Scripting issue with the confluence server as follows: Arbirtatry javascript can be injected in the following cases which can lead to escalated or invalid privileges being granted to an unauthorized user: 1...

Authenticating security providers fails due to ClassLoader bugs

If the Trusted Application feature is not working and the following is seen noformat WARN atlassian.seraph.filter.TrustedApplicationsFilter Failed to login trusted application: confluence1234567 due to: com.atlassian.security.auth.trustedapps.InvalidCertificateException:...

Authenticating security providers fails due to ClassLoader bugs

If the Trusted Application feature is not working and the following is seen noformat WARN atlassian.seraph.filter.TrustedApplicationsFilter Failed to login trusted application: confluence1234567 due to: com.atlassian.security.auth.trustedapps.InvalidCertificateException:...

Bulk Move does not update the Security Level of subtasks

When doing a bulk move, Parent issues moved to a new project must take any subtasks with them. If the new project has a different Issue Security scheme, then issues should get the default issue security in the new project. Currently a bulk move will change the security setting of parent issues, b...

Bulk Move does not update the Security Level of subtasks

When doing a bulk move, Parent issues moved to a new project must take any subtasks with them. If the new project has a different Issue Security scheme, then issues should get the default issue security in the new project. Currently a bulk move will change the security setting of parent issues, b...

Bulk Move does not update the Security Level of subtasks

When doing a bulk move, Parent issues moved to a new project must take any subtasks with them. If the new project has a different Issue Security scheme, then issues should get the default issue security in the new project. Currently a bulk move will change the security setting of parent issues, b...

You are able to delete a Custom Field that is referenced in Permission settings.

If you add a User Custom Field as a permission in a permission scheme or issue level security scheme, you are then able to delete the Custom Field without validation or warnings. After deleting the field, you are still able to see the Custom Field ID in the permission scheme, although it can...

You are able to delete a Custom Field that is referenced in Permission settings.

If you add a User Custom Field as a permission in a permission scheme or issue level security scheme, you are then able to delete the Custom Field without validation or warnings. After deleting the field, you are still able to see the Custom Field ID in the permission scheme, although it can...

You are able to delete a Custom Field that is referenced in Permission settings.

If you add a User Custom Field as a permission in a permission scheme or issue level security scheme, you are then able to delete the Custom Field without validation or warnings. After deleting the field, you are still able to see the Custom Field ID in the permission scheme, although it can...

"Forgot password" function allows easy misuse

The "Forgot password" function invents a new password and sends it by email. This invites to misuse as guessing the userid already allows to annoy or even lock-out the legitimate account owner. The user may currently not have access to his email account or the mail could be killed by a spam filte...

"Forgot password" function allows easy misuse

The "Forgot password" function invents a new password and sends it by email. This invites to misuse as guessing the userid already allows to annoy or even lock-out the legitimate account owner. The user may currently not have access to his email account or the mail could be killed by a spam filte...

Issues not shown in issue navigator that a user has permission for according to the issue security level

Users may not be able to see certain issues in the IssueNavigator, if they create an issue level security, where the permission depends on a user custom field where the customfield does not have a searcher set. Browsing the issue directly, works fine, however when running a search the issue wont ...

Issues not shown in issue navigator that a user has permission for according to the issue security level

Users may not be able to see certain issues in the IssueNavigator, if they create an issue level security, where the permission depends on a user custom field where the customfield does not have a searcher set. Browsing the issue directly, works fine, however when running a search the issue wont ...

Issues not shown in issue navigator that a user has permission for according to the issue security level

Users may not be able to see certain issues in the IssueNavigator, if they create an issue level security, where the permission depends on a user custom field where the customfield does not have a searcher set. Browsing the issue directly, works fine, however when running a search the issue wont ...

Username upper case are not being restricted in some pages

Username must be created in lowercase in JIRA. At the moment, JIRA allows the username with the lowercase or uppercase letter in Login and Add Watcher pages. It should restrict the case-sensitive when the username is request from the login page or convert it to lower case. JIRA should have this...

Username upper case are not being restricted in some pages

Username must be created in lowercase in JIRA. At the moment, JIRA allows the username with the lowercase or uppercase letter in Login and Add Watcher pages. It should restrict the case-sensitive when the username is request from the login page or convert it to lower case. JIRA should have this...

Username upper case are not being restricted in some pages

Username must be created in lowercase in JIRA. At the moment, JIRA allows the username with the lowercase or uppercase letter in Login and Add Watcher pages. It should restrict the case-sensitive when the username is request from the login page or convert it to lower case. JIRA should have this...

Move velocity templates and other web resources into WEB-INF in the Confluence webapp

It presents a small information leak, and is just tidier if we put all the internal stuff into WEB-INF...

Move velocity templates and other web resources into WEB-INF in the Confluence webapp

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-9730. panel It presents a small information leak, and is just tidier if we put all the internal stuff into WEB-INF...

Move velocity templates and other web resources into WEB-INF in the Confluence webapp

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-9730. panel It presents a small information leak, and is just tidier if we put all the internal stuff into WEB-INF...

DWR debug mode is enabled

This gives a potential attacker lots of information about available AJAX request handlers in Confluence...

DWR debug mode is enabled

This gives a potential attacker lots of information about available AJAX request handlers in Confluence...

DWR debug mode is enabled

This gives a potential attacker lots of information about available AJAX request handlers in Confluence...

IssueLevelSecurity permission check does not work with a DocumentIssueImpl if no security level has been set.

We need to be able to handle per issue permission checks, if no issue security level has been set. The problem is that if no issue level security is set, -1 gets indexed. The permissions code however expects a null value...

IssueLevelSecurity permission check does not work with a DocumentIssueImpl if no security level has been set.

We need to be able to handle per issue permission checks, if no issue security level has been set. The problem is that if no issue level security is set, -1 gets indexed. The permissions code however expects a null value...

IssueLevelSecurity permission check does not work with a DocumentIssueImpl if no security level has been set.

We need to be able to handle per issue permission checks, if no issue security level has been set. The problem is that if no issue level security is set, -1 gets indexed. The permissions code however expects a null value...

Security Issue: XSS in wiki exception error page

The confluence wiki does contain a XSS possibility in the exception error page. The user input string is NOT output encoded at following lines: a - - Query String: url=alertdocument.cookie b - javax.servlet.forward.querystring : url=alertdocument.cookie c - atlassian.core.seraph.original.url :...

Security Issue: XSS in wiki exception error page

The confluence wiki does contain a XSS possibility in the exception error page. The user input string is NOT output encoded at following lines: a - - Query String: url=alertdocument.cookie b - javax.servlet.forward.querystring : url=alertdocument.cookie c - atlassian.core.seraph.original.url :...

Security Issue: XSS in wiki exception error page

The confluence wiki does contain a XSS possibility in the exception error page. The user input string is NOT output encoded at following lines: a - - Query String: url=alertdocument.cookie b - javax.servlet.forward.querystring : url=alertdocument.cookie c - atlassian.core.seraph.original.url :...

user value of JiraAuthenticationContext not set is SOAP service getIssue()

Call to JiraAuthenticationContext.setUser missing during getIssue SOAP service call. Service call will fail silently if there are custom fields with explicit secutity checking for attributes derived from current user. In my case I try to verify existance of an issue using getIssue SOAP service...

user value of JiraAuthenticationContext not set is SOAP service getIssue()

Call to JiraAuthenticationContext.setUser missing during getIssue SOAP service call. Service call will fail silently if there are custom fields with explicit secutity checking for attributes derived from current user. In my case I try to verify existance of an issue using getIssue SOAP service...

user value of JiraAuthenticationContext not set is SOAP service getIssue()

Call to JiraAuthenticationContext.setUser missing during getIssue SOAP service call. Service call will fail silently if there are custom fields with explicit secutity checking for attributes derived from current user. In my case I try to verify existance of an issue using getIssue SOAP service...

Velocity does not automatically escape HTML entities when substituting variables

Velocity should automatically escape encode HTML entities in variables it interpolates in markup. This would remove the need for explicitly escaping variables using $generalUtil.htmlEncode, and fix lots of XSS bugs including ones we haven't discovered yet. This affects all versions of Confluence...

Velocity does not automatically escape HTML entities when substituting variables

Velocity should automatically escape encode HTML entities in variables it interpolates in markup. This would remove the need for explicitly escaping variables using $generalUtil.htmlEncode, and fix lots of XSS bugs including ones we haven't discovered yet. This affects all versions of Confluence...

Velocity does not automatically escape HTML entities when substituting variables

Velocity should automatically escape encode HTML entities in variables it interpolates in markup. This would remove the need for explicitly escaping variables using $generalUtil.htmlEncode, and fix lots of XSS bugs including ones we haven't discovered yet. This affects all versions of Confluence...

Cross-site scripting vulnerability in 500page.jsp

The test successfully embedded a script in the response, which will be executed once the page is loaded in the user's browser. This means that the application is vulnerable to the Cross-Site Scripting attack. The file 500page.jsp should escape the attributes and parameters to prevent code...