36 matches found
CVE-2023-22512
CVE-2023-22512 is a DoS vulnerability in Atlassian Confluence Data Center and Server. Introduced in version 5.6, it allows an unauthenticated, network-based attacker to make a Confluence instance unavailable, with no impact to confidentiality or integrity and a high availability impact (CVSS v3.1...
CVE-2021-26084
CVE-2021-26084 is an OGNL injection vulnerability in Atlassian Confluence Server and Data Center that allows unauthenticated remote code execution. Affected branches include Confluence Server/Data Center versions prior to 6.13.23, 6.14.0 before 7.4.11, 7.5.0 before 7.11.6, and 7.12.0 before 7.12....
CVE-2022-26134
CVE-2022-26134 is an unauthenticated OGNL injection in Atlassian Confluence Server and Data Center that enables remote code execution. Affected: Confluence Server/Data Center versions from 1.3.0 up to 7.4.16, 7.13.x up to 7.13.6, 7.14.x up to 7.14.2, 7.15.x up to 7.15.1, 7.16.x up to 7.16.3, 7.17...
CVE-2021-26085
CVE-2021-26085 affects Atlassian Confluence Server. It is a Pre-Authorization Arbitrary File Read via the /s/ endpoint, allowing remote attackers to view restricted resources. Affected versions are before 7.4.10, and 7.5.0 before 7.12.3; fixes are in 7.4.10 and 7.12.3. Public PoCs and demonstrati...
CVE-2023-22515
CVE-2023-22515 affects Atlassian Confluence Data Center and Server. The issue is a broken access control vulnerability that enables an unauthenticated attacker to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected, and ins...
CVE-2023-22527
CVE-2023-22527 is an OGNL/SSTI-based remote code execution vulnerability in Atlassian Confluence Data Center and Server. Affected versions include Confluence Data Center/Server 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0–8.5.3 (per multiple exploits). Anonymous attackers could trigger RCE via a ...
CVE-2023-22518
CVE-2023-22518 (Confluence DC/Server): An improper authorization vulnerability allowed an unauthenticated attacker to reset Confluence and create an instance administrator, enabling full admin control and potential data loss. Affected products include Confluence Data Center (all versions) and Con...
CVE-2024-21683
CVE-2024-21683 is an authenticated Remote Code Execution in Atlassian Confluence Data Center and Server. The issue arises from the Rhino script engine parsing tainted data in uploaded text/files, allowing an attacker with necessary privileges (e.g., admin) to execute arbitrary host code. Affected...
CVE-2022-26136
CVE-2022-26136 is a vulnerability in multiple Atlassian products where remote, unauthenticated attackers can bypass Servlet Filters used by first and third‑party apps, potentially causing authentication bypass and XSS. Affected products and fixed ranges are provided: Atlassian Bamboo (<8.0.9, ...
CVE-2023-22508
CVE-2023-22508 is a high-severity Remote Code Execution vulnerability in Atlassian Confluence Data Center & Server, introduced in version 6.1.0. The flaw enables an authenticated attacker to execute arbitrary code with high impact to confidentiality, integrity, and availability, without user inte...
CVE-2022-26137
CVE-2022-26137 concerns multiple Atlassian products (Bamboo, Bitbucket, Confluence, Jira, Jira Service Management, Crowd, Fisheye/Crucible) where an unauthenticated remote attacker can trigger additional Servlet Filters in requests/responses, causing a CORS bypass. The issue allows an attacker to...
CVE-2024-21677
CVE-2024-21677 affects Atlassian Confluence Data Center and Server, introduced in version 6.13.0 as a High-severity path traversal vulnerability. The CVSS data indicate unauthenticated network access with low attack complexity, no privileges required, but user interaction is needed, and impacts t...
CVE-2024-21690
This CVE affects Atlassian Confluence Data Center and Server. The issue is a Reflected XSS and CSRF vulnerability that impacts versions 7.19.0, 7.20.0, 8.0.0 through 8.9.0. An unauthenticated attacker can cause a victim’s browser to execute arbitrary HTML/JavaScript and persuade the user to perfo...
CVE-2023-22522
CVE-2023-22522 is an RCE flaw in Atlassian Confluence Data Center and Server caused by a template injection vulnerability that lets an authenticated (including anonymous) attacker inject unsafe input into a Confluence page. Affected versions include Confluence Data Center/Server releases prior to...
CVE-2021-39114
CVE-2021-39114 affects Atlassian Confluence Server/Data Center. An OGNL injection in Confluence prior to specific fixed versions allows a valid account on a Data Center instance to execute arbitrary Java code or commands. Affected versions are: before 6.13.23; 6.14.0 before 7.4.11; 7.5.0 before 7...
CVE-2021-43940
CVE-2021-43940 affects Atlassian Confluence Server and Data Center on Windows. A DLL hijacking vulnerability in the Confluence installer allows authenticated local attackers to achieve elevated privileges on the local system. Affected versions are before 7.4.10, and 7.5.0 before 7.12.3. Documente...
CVE-2020-29448
CVE-2020-29448 affects Atlassian Confluence Server/Data Center. Affected ConfluenceResourceDownloadRewriteRule allows unauthenticated remote retrieval of arbitrary files in WEB-INF and META-INF due to an incorrect path access check. Impact is read-only exposure of restricted files; no exploitatio...
CVE-2023-22505
CVE-2023-22505 affects Atlassian Confluence Data Center & Server. A remote code execution flaw exists due to insufficient input validation, enabling an authenticated attacker to execute arbitrary code with high impact on confidentiality, integrity, and availability. Affected versions include 8.0....
CVE-2020-29444
CVE-2020-29444 affects Atlassian Confluence Server: Team Calendar component is vulnerable to a Cross-Site Scripting (XSS) attack via admin global setting parameters in versions before 7.11.0. The root cause is a failure to properly sanitize inputs in the admin settings, allowing injection of arbi...
CVE-2020-29450
CVE-2020-29450 affects Atlassian Confluence Server and Data Center before version 7.2.0, where the avatar upload feature allows remote attackers to impact availability (DoS). The root cause is a DoS vulnerability in the avatar upload functionality. Fixed versions are 7.2.0 and later. Remediation:...
CVE-2024-21678
CVE-2024-21678 is a stored XSS vulnerability in Atlassian Confluence Data Center and Server introduced in 2.7.0. An authenticated attacker can inject HTML/JavaScript that runs in a victim’s browser, with high confidentiality impact, low integrity impact, no availability impact, and no user intera...
CVE-2024-21672
CVE-2024-21672 : A remote code execution vulnerability in Atlassian Confluence Data Center and Server was introduced in 2.1.0. It allows an unauthenticated, network‑level attacker to remotely expose assets when exploiting the flaw, with user interaction required (UI: R). The vulnerability impacts...
CVE-2020-14175
CVE-2020-14175 affects Atlassian Confluence Server and Data Center. The vulnerability is a Cross-Site Scripting (XSS) flaw in user macro parameters that allows injection of arbitrary HTML/JavaScript. Affected versions are before 7.4.2 and 7.5.0 up to before 7.5.2. Some sources note exploitation m...
CVE-2024-21686
CVE-2024-21686 is a stored XSS vulnerability affecting Atlassian Confluence Data Center and Server, introduced in version 7.13. The CVSS base score is 7.3 (high) with author-verified network attack vector, low attack complexity, low privileges required, and user interaction required; impact is hi...
CVE-2018-20239
CVE-2018-20239 involves a cross-site scripting (XSS) flaw in the Application Links plugin’s applinkStartingUrl parameter. The vulnerability affects multiple plugin versions: Application Links before 5.0.11, 5.1.0–before 5.2.10, 5.3.0–before 5.3.6, 5.4.0–before 5.4.12, and 6.0.0–before 6.0.4. It i...
CVE-2024-21703
This CVE describes a Medium severity Security Misconfiguration in Confluence Data Center and Server for Windows, introduced in version 8.8.1. An authenticated attacker on the Windows host can read sensitive information about the Confluence Data Center configuration, impacting confidentiality, int...
CVE-2021-26072
CVE-2021-26072 affects Atlassian Confluence Server/Data Center prior to 5.8.6, where the WidgetConnector plugin permits blind SSRF allowing remote attackers to manipulate internal network resources. The issue arises from insecure server-side requests triggered by the widgetconnector, with exploit...
CVE-2023-22503
The CVE concerns Atlassian Confluence Server/Data Center where the macro preview feature permits an Information Disclosure vulnerability. Affected: Confluence Server/Data Center versions before 7.13.15, 7.14.0–7.19.7, and 7.20.0–8.2.0. Impact: anonymous remote attackers can view names of attachme...
CVE-2024-21673
CVE-2024-21673 affects Atlassian Confluence Data Center and Server. The vulnerability is an authenticated remote code execution that was introduced in version 7.13.0, with high impact on confidentiality, integrity, and availability (CVSS v3.0/3.1 base scores 8.0/8.8). Affected versions include 7....
CVE-2022-42977
The CVE-2022-42977 relates to the Netic User Export add-on for Atlassian Confluence (before version 1.3.5). The vulnerability arises from the export functionality, where the HTTP request’s fileName parameter can specify any file on the system, enabling retrieval of arbitrary files (e.g., SSH priv...
CVE-2020-36290
CVE-2020-36290 affects Atlassian Confluence Server/Data Center via the Livesearch macro. Vulnerable versions include pre-7.4.5, 7.5.0–7.6.2, and 7.7.0–7.7.3 (up to 7.7.4 in some listings), where remote attackers with page/blog edit permission can inject arbitrary HTML/JavaScript into the page exc...
CVE-2023-22526
CVE-2023-22526 is an authenticated RCE affecting Atlassian Confluence Data Center/Server introduced in 7.19.0. The CVSS 3.1/3.0 data show high impact (C/I/A) with network access and low attack complexity; privileges required are low (per NVD). The vulnerability allows executing arbitrary code wit...
CVE-2022-42978
The vulnerability CVE-2022-42978 affects the Netic User Export add-on for Atlassian Confluence prior to version 1.3.5. The root cause is mishandled authorization, allowing an unauthenticated attacker to access files on the remote system. Impact is unauthorized file access. Remediation: upgrade to...
CVE-2024-21674
CVE-2024-21674 affects Atlassian Confluence Data Center and Server, introduced in 7.13.0, enabling unauthenticated remote code execution (RCE) with high confidentiality impact (CVSSv3.0: 8.6, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). Upgraded fixed versions are 7.19.18+, 8.5.5+, or 8.7.2+ (recommend ...
CVE-2018-20237
Confluence Server/Data Center prior to version 6.13.1 is affected by an information-disclosure vulnerability in the Word Export feature. An authenticated user can download content from deleted pages, exposing partially confidential data. Root cause: Word Export component allows access to deleted ...
CVE-2025-22166
CVE-2025-22166 is a Denial of Service vulnerability affecting Atlassian Confluence Data Center. Introduced in Confluence Data Center 2.0, it enables an unauthenticated remote attacker to render the host unavailable by disrupting services, with high impact on availability. The advisory recommends ...