Crowd@* Security Vulnerabilities and Issues — Crowd@* CVE List

Lucene search

AtlassianCrowd*

16 matches found

CVE•added 2022/07/20 6:15 p.m.•199 views

CVE-2022-26136

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and c...

9.8CVSS9.1AI score0.00309EPSS

CVE•added 2022/07/20 6:15 p.m.•143 views

CVE-2022-26137

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-...

8.8CVSS9AI score0.00065EPSS

CVE•added 2020/02/06 3:15 a.m.•109 views

CVE-2019-20104

The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability.

7.5CVSS7.6AI score0.02432EPSS

CVE•added 2019/11/08 4:15 a.m.•94 views

CVE-2019-15005

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the ap...

4.3CVSS4.3AI score0.00195EPSS

CVE•added 2019/12/17 4:15 a.m.•79 views

CVE-2017-18107

Various resources in the Crowd Demo application of Atlassian Crowd before version 3.1.1 allow remote attackers to modify add, modify and delete users & groups via a Cross-site request forgery (CSRF) vulnerability. Please be aware that the Demo application is not enabled by default.

6.5CVSS6.5AI score0.00411EPSS

CVE•added 2019/04/30 4:29 p.m.•74 views

CVE-2018-20239

Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the appl...

5.4CVSS5.2AI score0.00399EPSS

CVE•added 2012/05/22 3:55 p.m.•66 views

CVE-2012-2926

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2...

9.1CVSS9AI score0.56379EPSS

CVE•added 2020/10/01 2:15 a.m.•49 views

CVE-2019-20902

Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.

7.5CVSS7.5AI score0.00241EPSS

CVE•added 2021/03/01 5:15 p.m.•48 views

CVE-2020-36240

The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.

5.3CVSS5.3AI score0.00349EPSS

CVE•added 2019/03/29 2:29 p.m.•45 views

CVE-2017-18108

The administration SMTP configuration resource in Atlassian Crowd before version 2.10.2 allows remote attackers with administration rights to execute arbitrary code via a JNDI injection.

7.2CVSS7.5AI score0.01757EPSS

CVE•added 2019/03/29 2:29 p.m.•41 views

CVE-2017-18105

The console login resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers, who have previously obtained a user's JSESSIONID cookie, to gain access to some of the built-in and potentially third party rest resources via a session fixation v...

8.1CVSS8.1AI score0.00573EPSS

CVE•added 2019/03/29 2:29 p.m.•39 views

CVE-2017-18106

The identifier_hash for a session token in Atlassian Crowd before version 2.9.1 could potentially collide with an identifier_hash for another user or a user in a different directory, this allows remote attackers who can authenticate to Crowd or an application using Crowd for authentication to gain ...

7.5CVSS7.8AI score0.00608EPSS

CVE•added 2019/02/13 6:29 p.m.•35 views

CVE-2018-20238

Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability.

8.1CVSS8AI score0.00173EPSS

CVE•added 2019/03/29 2:29 p.m.•33 views

CVE-2017-18110

The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability.

6.5CVSS6.3AI score0.00145EPSS

CVE•added 2019/03/29 2:29 p.m.•32 views

CVE-2017-18109

The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect.

6.1CVSS6.2AI score0.00158EPSS

CVE•added 2019/01/29 2:29 a.m.•31 views

CVE-2016-10740

Various resources in Atlassian Crowd before version 2.10.1 allow remote attackers with administration rights to learn the passwords of configured LDAP directories by examining the responses to requests for these resources.

4.9CVSS5.2AI score0.00216EPSS