Lucene search
K
AtlassianCrowd

24 matches found

CVE
CVE
added 2019/06/03 1:43 p.m.1048 views

CVE-2019-11580

Atlassian Crowd/Crowd Data Center are affected by CVE-2019-11580 due to the pdkinstall development plugin being incorrectly enabled in release builds. The flaw permits attackers to install arbitrary plugins via unauthenticated or authenticated requests, enabling remote code execution on vulnerabl...

9.8CVSS9.5AI score0.95355EPSS
In wildWeb
CVE
CVE
added 2022/07/20 5:25 p.m.245 views

CVE-2022-26136

CVE-2022-26136 is a vulnerability in multiple Atlassian products where remote, unauthenticated attackers can bypass Servlet Filters used by first and third‑party apps, potentially causing authentication bypass and XSS. Affected products and fixed ranges are provided: Atlassian Bamboo (<8.0.9, ...

9.8CVSS9.1AI score0.04244EPSS
CVE
CVE
added 2022/07/20 5:25 p.m.162 views

CVE-2022-26137

CVE-2022-26137 concerns multiple Atlassian products (Bamboo, Bitbucket, Confluence, Jira, Jira Service Management, Crowd, Fisheye/Crucible) where an unauthenticated remote attacker can trigger additional Servlet Filters in requests/responses, causing a CORS bypass. The issue allows an attacker to...

8.8CVSS9AI score0.01852EPSS
CVE
CVE
added 2020/02/06 3:10 a.m.122 views

CVE-2019-20104

CVE-2019-20104 affects the OpenID client in Atlassian Crowd. Versions before 3.6.2, and 3.7.0 before 3.7.1, are vulnerable to DoS via XML Entity Expansion. Mitigation: update to a fixed release (3.7.1 or newer) or disable the OpenID client app, as Crowd notes indicate the OpenID client has been d...

7.5CVSS7.6AI score0.02434EPSS
CVE
CVE
added 2019/11/08 3:55 a.m.105 views

CVE-2019-15005

The CVE-2019-15005 vulnerability concerns the Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2, which is bundled with multiple Atlassian products. An unprivileged user can initiate periodic log scans and have the results emailed to a user-specified address due to ...

4.3CVSS4.3AI score0.01334EPSS
CVE
CVE
added 2019/12/17 3:45 a.m.94 views

CVE-2017-18107

The data confirms a CSRF vulnerability in Atlassian Crowd’s Crowd Demo application prior to version 3.1.1. The issue allows remote attackers to add/modify/delete users and groups by crafting unauthorized requests, due to insufficient request validation in the web application. The Demo app is not ...

6.5CVSS6.5AI score0.00449EPSS
CVE
CVE
added 2019/04/30 3:28 p.m.90 views

CVE-2018-20239

CVE-2018-20239 involves a cross-site scripting (XSS) flaw in the Application Links plugin’s applinkStartingUrl parameter. The vulnerability affects multiple plugin versions: Application Links before 5.0.11, 5.1.0–before 5.2.10, 5.3.0–before 5.3.6, 5.4.0–before 5.4.12, and 6.0.0–before 6.0.4. It i...

5.4CVSS5.2AI score0.03401EPSS
CVE
CVE
added 2022/11/17 12:0 a.m.82 views

CVE-2022-43782

CVE-2022-43782 affects Atlassian Crowd. Affected: Crowd versions 3.x, 4.x before 4.4.4, and 5.x before 5.0.3. Root cause: security misconfiguration allows an attacker from an IP on the crowd application allowlist to authenticate as the crowd application and call privileged endpoints in Crowd’s RE...

9.8CVSS9.4AI score0.00888EPSS
CVE
CVE
added 2023/11/21 6:0 p.m.80 views

CVE-2023-22521

CVE-2023-22521 concerns Atlassian Crowd Data Center and Server. The vulnerability is an authenticated remote code execution (RCE) affecting the 3.4.6 baseline, with CVSS metrics indicating high impact on confidentiality, integrity, and availability and no user interaction required. Atlassian reco...

8.8CVSS8AI score0.01213EPSS
CVE
CVE
added 2012/05/22 3:0 p.m.79 views

CVE-2012-2926

CVE-2012-2926 covers multiple Atlassian products (JIRA <5.0.1; Confluence pre-3.5.16, 4.0.x <4.0.7, 4.1.x <4.1.10; FishEye/Crucible, Bamboo <3.3.4/3.4.x; Crowd <2.0.9, <2.1.2, <2.2.9, <2.3.7,

9.1CVSS9AI score0.66578EPSS
CVE
CVE
added 2013/07/01 9:0 p.m.67 views

CVE-2013-3925

CVE-2013-3925 affects Atlassian Crowd prior to version 2.5.4, 2.6.x prior to 2.6.3, as well as 2.3.8 and 2.4.9. The flaw is an XML External Entity (XXE) vulnerability that enables remote attackers to read arbitrary files and cause requests to intranet servers by crafting a request to /services/2 ...

5.8CVSS8.9AI score0.01758EPSS
Web
CVE
CVE
added 2020/10/01 1:30 a.m.65 views

CVE-2019-20902

Summary: CVE-2019-20902 describes a vulnerability in Crowd where upgrading via XML Data Transfer can reactivate a disabled OpenLDAP user. The issue affects Crowd versions prior to 3.4.6 and 3.5.0 prior to 3.5.1; fixed in 3.4.6 and 3.5.1+ (per records). Impact/behavior: during upgrade, disabled Op...

7.5CVSS7.5AI score0.00872EPSS
CVE
CVE
added 2021/03/01 4:23 p.m.62 views

CVE-2020-36240

The CVE-2020-36240 issue in Atlassian Crowd concerns the ResourceDownloadRewriteRule class, where versions prior to 4.0.4 and versions 4.1.0 to 4.1.1 (i.e., before 4.1.2) allow unauthenticated remote attackers to read arbitrary files inside WEB-INF and META-INF due to an incorrect path access che...

5.3CVSS5.3AI score0.01233EPSS
CVE
CVE
added 2016/12/09 10:0 p.m.61 views

CVE-2016-6496

CVE-2016-6496 affects Atlassian Crowd LDAP entry handling. The LDAP directory connector is vulnerable to LDAP Java object injection: an attacker can cause remote code execution by sending a crafted serialized Java object in an LDAP attribute. Affected versions are all Crowd 1.4.1 to 2.8.7 (and 2....

9.8CVSS9.6AI score0.04705EPSS
CVE
CVE
added 2018/01/31 2:0 p.m.59 views

CVE-2017-16858

The CVE-2017-16858 issue affects Atlassian Crowd’s crowd-application plugin (used by Google Apps) where versions 1.5.0–3.1.1 allow impersonation of a Crowd user in REST requests by authenticating to a directory bound to an application. In the described scenario, if Crowd is bound to directory 1 w...

6.8CVSS6.5AI score0.00566EPSS
CVE
CVE
added 2019/03/29 2:4 p.m.59 views

CVE-2017-18108

CVE-2017-18108 affects Atlassian Crowd prior to version 2.10.2. The administration SMTP configuration resource contains a JNDI injection vulnerability that allows remote attackers with administration rights to execute arbitrary code. Impact: arbitrary code execution with admin privileges; CVSS3 b...

7.2CVSS7.5AI score0.0233EPSS
CVE
CVE
added 2019/03/29 2:4 p.m.54 views

CVE-2017-18105

The CVE affects Atlassian Crowd: versions before 3.0.2 and in 3.1.0–3.1.1 are vulnerable due to a session fixation flaw where the login flow does not rotate the JSESSIONID. This allows remote attackers who already possess a user’s JSESSIONID to access some built-in and potentially third-party RES...

8.1CVSS8.1AI score0.01427EPSS
CVE
CVE
added 2019/03/29 2:4 p.m.54 views

CVE-2017-18106

CVE-2017-18106 affects Atlassian Crowd versions before 2.9.1. The vulnerability stems from the session token’s identifier_hash potentially colliding with another user’s (or a user in a different directory), allowing remote attackers who can authenticate to Crowd or an application using Crowd to h...

7.5CVSS7.8AI score0.01258EPSS
CVE
CVE
added 2013/07/01 9:0 p.m.48 views

CVE-2013-3926

Atlassian Crowd 2.6.3 is cited as vulnerable to remote command execution via unspecified vectors related to a “symmetric backdoor.” The vendor publicly stated they could not reproduce the issue as of 2013-07-04 and provided no detail or patch information; no concrete exploit details are included....

7.5CVSS7.8AI score0.01937EPSS
CVE
CVE
added 2019/03/29 2:4 p.m.48 views

CVE-2017-18109

The CVE-2017-18109 vulnerability affects Atlassian Crowd’s CrowdId login resource before v3.0.2 and in v3.1.0 before v3.1.1, enabling remote attackers to perform phishing via an open redirect. Root cause: improper redirect handling in the login flow. Impact: open redirect could lead victims to a ...

6.1CVSS6.2AI score0.01131EPSS
CVE
CVE
added 2019/01/29 2:0 a.m.46 views

CVE-2016-10740

CVE-2016-10740 affects Atlassian Crowd prior to 2.10.1. The issue allows remote attackers with administration rights to learn passwords of configured LDAP directories by inspecting responses from various resources. Impact is limited to those with admin privileges and knowledge of LDAP configurati...

4.9CVSS5.2AI score0.01056EPSS
CVE
CVE
added 2019/02/13 6:0 p.m.46 views

CVE-2018-20238

CVE-2018-20238 affects Atlassian Crowd: remote attackers can authenticate using an expired user session due to insufficient session expiration. Affected versions are Crowd prior to 3.2.7 and 3.3.0 up to 3.3.4. This is described as an authentication issue in various REST resources, enabling sessio...

8.1CVSS8AI score0.01513EPSS
CVE
CVE
added 2019/03/29 2:4 p.m.45 views

CVE-2017-18110

The Atlassian Crowd CVE-2017-18110 affects the administration backup restore resource and allows remote attackers to read files from the filesystem via a XXE vulnerability. Affected versions are before 3.0.2 and before 3.1.1 (specifically 3.1.0 to 3.1.1). Exploitation is described as remote, over...

6.5CVSS6.3AI score0.01234EPSS
CVE
CVE
added 2026/01/28 12:30 a.m.22 views

CVE-2026-21569

This CVE affects Crowd Data Center and Server (Atlassian) starting from version 7.1.0, with a high-severity XXE (XML External Entity Injection) vulnerability. The issue allows an authenticated attacker to access local and remote content, with high impact to confidentiality and availability, and l...

7.9CVSS5.9AI score0.00297EPSS