19 matches found
CVE-2019-15006
CVE-2019-15006 describes a MITM vulnerability in the Confluence Previews plugin used to communicate with the Atlassian Companion app via the atlassian-domain-for-localhost-connections-only.com hostname (DNS to 127.0.0.1). An attacker controlling DNS could observe or modify edited files; the certi...
CVE-2019-20406
CVE-2019-20406 affects Atlassian Confluence on Windows. The vulnerability is a DLL hijacking flaw in which local attackers with permission to write a DLL in a directory on the global PATH can inject code and escalate privileges. Affected versions are Confluence on Windows before 7.0.5, and from 7...
CVE-2019-3394
CVE-2019-3394 affects Atlassian Confluence Server/Data Center: a local file disclosure in the page export feature allows an authenticated attacker with page-edit permission to read arbitrary files under the Confluence install directory (notably /confluence/WEB-INF). Impact could include leakage o...
CVE-2019-15005
The CVE-2019-15005 vulnerability concerns the Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2, which is bundled with multiple Atlassian products. An unprivileged user can initiate periodic log scans and have the results emailed to a user-specified address due to ...
CVE-2020-4027
Atlassian Confluence Server/Data Center is affected by CVE-2020-4027 due to an injection vulnerability in custom user macros that allows remote attackers with system administration permissions to bypass velocity template injection mitigations. Affected versions are before 7.4.5 and 7.5.0 before 7...
CVE-2019-3395
CVE-2019-3395 affects Atlassian Confluence Server and Data Center via an SSRF vulnerability in the WebDAV endpoint. The issue allows remote attackers to send arbitrary HTTP/WebDAV requests from the Confluence server due to a Server-Side Request Forgery flaw. Affected versions are: before 6.6.7 (f...
CVE-2015-8399
This CVE affects Atlassian Confluence (before 5.8.17). The vulnerability is an information disclosure where a remote authenticated user can read configuration files via the decoratorName parameter to spaces/viewdefaultdecorator.action or admin/viewdefaultdecorator.action. The issue is caused by a...
CVE-2012-2926
CVE-2012-2926 covers multiple Atlassian products (JIRA <5.0.1; Confluence pre-3.5.16, 4.0.x <4.0.7, 4.1.x <4.1.10; FishEye/Crucible, Bamboo <3.3.4/3.4.x; Crowd <2.0.9, <2.1.2, <2.2.9, <2.3.7,
CVE-2017-9505
Atlassian Confluence, versions 4.3.0 up to 6.2.1, are vulnerable to an access-control bypass when creating a workbox notification for new comments. The root cause is failure to verify a viewer’s permission for the page, allowing an authenticated attacker who can log in to receive workbox notifica...
CVE-2016-6283
CVE-2016-6283 affects Atlassian Confluence
CVE-2017-18084
CVE-2017-18084 affects Atlassian Confluence Server
CVE-2015-8398
CVE-2015-8398 is a cross-site scripting vulnerability in Atlassian Confluence (pre-5.8.17). An attacker can inject arbitrary scripts via the PATH_INFO to rest/prototype/1/session/check, allowing remote script/HTML execution. Affected versions are Atlassian Confluence Server 5.8.x earlier than 5.8...
CVE-2017-18085
CVE-2017-18085 affects Atlassian Confluence Server prior to version 6.6.1, with a reflected XSS in the viewdefaultdecorator resource via the key parameter. Proof-of-impact details: arbitrary HTML/JavaScript can be injected. Affected products and versions are supported by multiple connected source...
CVE-2017-18083
CVE-2017-18083 affects Atlassian Confluence Server before 6.4.0, where the editinword resource is vulnerable to cross-site scripting (XSS) via the contents of an uploaded file. The issue enables an attacker to inject arbitrary HTML/JavaScript through the uploaded file contents, as described in mu...
CVE-2017-16856
CVE-2017-16856 affects Atlassian Confluence via the RSS Feed macro. The issue is a cross-site scripting (XSS) flaw in various RSS properties used as links without restricting their URL scheme, allowing remote injection of HTML/JavaScript. Affected product/version details in provided documents poi...
CVE-2016-4317
CVE-2016-4317 affects Atlassian Confluence Server up to version 5.9.10, with a cross-site scripting (XSS) vulnerability on the viewmyprofile.action page. Root cause: failure to adequately validate user-supplied data leading to persistent XSS (described as a persistent XSS in Atlassian records and...
CVE-2018-13389
CVE-2018-13389 affects Atlassian Confluence versions before 6.6.1. The vulnerability allows remote attackers to spoof web content in Mozilla Firefox by serving attachments with a content-type of application/rdf+xml, enabling content spoofing via the attachment resource. The Nessus entry and vendo...
CVE-2017-18086
CVE-2017-18086 affects Atlassian Confluence Server prior to 6.4.2, where the issuesURL parameter can be exploited to inject arbitrary HTML/JavaScript via a reflected XSS vulnerability. Public sources (NVD/Nessus/CNVD) describe the issue as a reflected XSS in multiple resources using the issuesURL...
CVE-2005-3967
CVE-2005-3967 is an XSS vulnerability in Atlassian Confluence 2.0.1 Build 321. The issue affects the dosearchsite.action module, allowing remote attackers to inject arbitrary web script or HTML via the searchQuery.queryString parameter. The documented impact is partial integrity compromise with n...