38 matches found
CVE-2020-14181
CVE-2020-14181 affects Atlassian Jira Server/Data Center and enables an unauthenticated user to enumerate users via the /ViewUserHover.jspa endpoint due to an information disclosure flaw. Affected versions are: < 7.13.16, 8.0.0–<8.5.7, and 8.6.0–
CVE-2020-36289
Atlassian Jira Server and Data Center is affected by an unauthenticated information-disclosure via the QueryComponentRendererValue!Default.jspa endpoint. Affected versions are before 8.5.13; from 8.6.0 before 8.13.5; and from 8.14.0 before 8.15.1. An unauthenticated attacker can enumerate users a...
CVE-2021-26078
CVE-2021-26078 affects Jira Server and Jira Data Center: the number range searcher component is vulnerable to cross-site scripting (XSS) in versions before 8.5.14, 8.6.x before 8.13.6, and 8.14.0 before 8.16.1. An unauthenticated, remote attacker can inject arbitrary HTML/JavaScript via crafted i...
CVE-2020-36287
Summary: CVE-2020-36287 affects Atlassian Jira Server/Data Center through the dashboard gadgets preference resource of the Atlassian gadgets plugin. The root cause is a missing permissions check, enabling remote anonymous access to gadget-related settings. Affected versions: Jira Server prior to ...
CVE-2021-39119
CVE-2021-39119 affects Atlassian Jira Server and Data Center prior to 8.19.0. The vulnerability is a Broken Access Control in the issue notification feature that allows users who have watched an issue to receive updates even after their Jira account is revoked. Affected versions are before 8.19.0...
CVE-2021-26070
CVE-2021-26070 affects Atlassian Jira Server and Data Center. The vulnerability is a Broken Authentication issue in the makeRequest gadget resource that allows remote attackers to evade behind-the-firewall protections for app-linked resources. Affected versions are before 8.13.3 and 8.14.0 before...
CVE-2021-26069
CVE-2021-26069 affects Atlassian Jira Server/Data Center via an information-disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations endpoint. Affected versions are before 8.5.11, 8.6.0 before 8.13.3, and 8.14.0 before 8.15.0, allowing unauthenticated remote attackers to dow...
CVE-2021-43947
CVE-2021-43947 affects Atlassian Jira Server/Data Center: remote code execution via Email Templates, exploitable by an administrator. Affected versions are before 8.13.15 and 8.14.x before 8.20.3; remediation is to upgrade to 8.20.3 or later. The issue bypasses the JSDSERVER-8665 fix.
CVE-2021-26081
CVE-2021-26081 affects Atlassian Jira Server/Data Center: REST API /rest/api/latest/user/avatar/temporary allows remote username enumeration in affected builds (before 8.5.14; 8.6.x before 8.13.6; 8.14.x before 8.16.1). Public reports confirm the vulnerability exists in these versions, with the i...
CVE-2021-43953
CVE-2021-43953 affects Atlassian Jira Server/Data Center. A CSRF vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint allows unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings. Affected versions are before 8.13.16 and 8.14.x before 8.20.5....
CVE-2017-18113
Summary: CVE-2017-18113 affects Jira Server/Data Center prior to 8.18.1, where the DefaultOSWorkflowConfigurator can be manipulated via crafted workflows to trigger Remote Code Execution (RCE). The underlying issue involves unsafe OSWorkflow classes being used in workflows, allowing an attacker t...
CVE-2020-29453
CVE-2020-29453 affects Jira Server/Data Center: CachingResourceDownloadRewriteRule allows unauthenticated remote readers to access arbitrary files in WEB-INF and META-INF due to an incorrect path check. Products/versions implicated (per initial sources): before 8.5.11, 8.6.x before 8.13.3, and 8....
CVE-2020-36234
CVE-2020-36234: Atlassian Jira Server/Data Center XSS in Screens Modal view affects Jira versions prior to 8.5.11, 8.6.x before 8.13.3, and 8.14.x before 8.15.0. Root cause is insufficient input validation in the Screens Modal UI, enabling remote attackers to inject arbitrary HTML/JavaScript. Imp...
CVE-2021-43945
Summary (CVE-2021-43945): Atlassian Jira Server/Data Center is affected by a Stored XSS in the /rest/jpo/1.0/hierarchyConfiguration endpoint. Remote attackers with Roadmaps Administrator permissions can inject arbitrary HTML/JavaScript through this SXSS. Affected versions are before 8.20.3; fixed...
CVE-2020-29451
CVE-2020-29451 maps to an information-disclosure vulnerability in Atlassian Jira Server/Data Center, affecting the Jira Projects plugin report page. The vulnerability allows a remote attacker to enumerate Jira projects from affected installations. Affected versions are before 8.5.11, 8.6.0 before...
CVE-2020-36237
CVE-2020-36237 affects Atlassian Jira Server and Data Center prior to 8.15.0, where unauthenticated remote attackers can view custom field options via the /rest/api/2/customFieldOption/ endpoint (information disclosure). Affected versions are before 8.15.0; fixed in 8.15.0. The connected Atlassia...
CVE-2021-26076
CVE-2021-26076 concerns the jira.editor.user.mode cookie used by the Jira Editor Plugin on Jira Server/Data Center. The issue arises when the cookie isn’t marked as Secure if Jira is configured to use HTTPS, enabling remote anonymous attackers to perform a man-in-the-middle attack to learn which ...
CVE-2020-36238
CVE-2020-36238 affects Jira Server/Data Center. The vulnerability exists in the /rest/api/1.0/render resource and allows remote anonymous attackers to determine whether a username is valid via a missing permissions check. Affected versions include Jira Server/Data Center before 8.5.13, from 8.6.0...
CVE-2020-36286
CVE-2020-36286 affects Atlassian Jira Server and Data Center; information disclosure vulnerability in the membersOf JQL search function allows remote anonymous attackers to determine if a group exists and group memberships when exposed via publicly visible issue fields. Affected versions before f...
CVE-2020-36288
CVE-2020-36288 affects Atlassian Jira Server/Data Center: DOM-based XSS caused by parameter pollution in the issue navigation/search view. Affected ranges are Jira Server/Data Center prior to 8.5.12, 8.6.x prior to 8.13.4, and 8.14.x prior to 8.15.1. Remediation is to upgrade to fixed versions: 8...
CVE-2021-26071
CVE-2021-26071 affects Jira Server/Data Center via the SetFeatureEnabled.jspa resource. The vulnerability allows remote anonymous attackers to enable/disable Jira Software configuration through a Cross-Site Request Forgery (CSRF) vulnerability. Affected versions are Jira Server/Data Center before...
CVE-2021-26075
CVE-2021-26075 affects Atlassian Jira Server/Data Center: the AttachTemporaryFile REST resource allows remote authenticated attackers to disclose the full path of the Jira application data directory via an error message when an invalid filename is provided. Affected versions are before 8.5.12, fr...
CVE-2021-39112
CVE-2021-39112 affects Atlassian Jira Server/Data Center with a reverse tabnabbing issue in Project Shortcuts. Affected versions are before 8.5.15; 8.6.0 before 8.13.7; 8.14.0 before 8.17.1; and 8.18.0 before 8.18.1. The connected sources specify affected versions and vulnerability class but do n...
CVE-2021-26083
Affected product: Atlassian Jira Server/Data Center. Vulnerable component: Export HTML Report feature. Root cause: Cross-Site Scripting (XSS) due to improper input handling in the export HTML report path. Impact: remote attackers can inject arbitrary HTML/JavaScript via the export HTML Report, wi...
CVE-2021-41304
CVE-2021-41304 affects Atlassian Jira Server/Data Center with a reflected XSS in the error message of /secure/admin/ImporterFinishedPage.jspa. Affected versions are < 8.13.12 and 8.14.0 ≤
CVE-2021-26082
The CVE-2021-26082 issue affects Atlassian Jira Server/Data Center’s XML Export feature, allowing stored cross-site scripting via the XML Export path. Affected ranges: Jira Server/Data Center before 8.5.14; 8.6.0 before 8.13.6; 8.14.0 before 8.17.0. Root cause: improper handling in the XML Export...
CVE-2021-41312
CVE-2021-41312 affects Atlassian Jira Server and Data Center prior to 8.19.1. The vulnerability is an Improper Authentication in the /secure/ViewCollectors endpoint that allows a remote attacker who previously had access revoked from Jira Service Management to enable/disable Issue Collectors with...
CVE-2021-26079
CVE-2021-26079 affects Atlassian Jira Server/Data Center: the CardLayoutConfigTable component is vulnerable to remote XSS . Affected versions include Jira Server/Data Center before 8.5.15; 8.6.0 before 8.13.7; and 8.14.0 before 8.17.0. The vulnerability allows a remote attacker to inject arbitrar...
CVE-2021-39122
CVE-2021-39122 affects Atlassian Jira Server and Data Center via an Information Disclosure vulnerability in the /rest/api/2/search endpoint, allowing anonymous remote attackers to view users’ emails. Affected versions include pre-8.5.13, 8.6.0–8.13.5 (before 8.13.5), and 8.14.0–8.15.1 (before 8.1...
CVE-2021-39125
CVE-2021-39125 affects Atlassian Jira Server and Data Center, enabling anonymous remote attackers to enumerate usernames via the password reset page. Affected versions are before 8.5.10 and 8.6.0 through 8.13.1. Fixed versions are 8.5.10 and 8.13.1. No exploitation details are provided in the con...
CVE-2021-39113
Summary of CVE-2021-39113 (Atlassian Jira Server/Data Center) Affects: Atlassian Jira Server and Data Center installations. Vulnerable component: the allowlist feature enabling access control for cached content. Root cause: Broken Access Control allowing anonymous remote attackers to continue vie...
CVE-2021-39121
Summary: CVE-2021-39121 is an information-disclosure vulnerability in Atlassian Jira Server/Data Center that allows an authenticated remote attacker to enumerate private project keys via the /rest/api/latest/projectvalidate/key endpoint. Affected versions: before 8.5.18; 8.6.0 before 8.13.10; 8.1...
CVE-2021-39111
The CVE-2021-39111 issue affects the Editor plugin in Atlassian Jira Server/Data Center. A Cross-Site Scripting (XSS) vulnerability exists in handling supplied content (e.g., PDFs pasted into fields like description), allowing remote attackers to inject arbitrary HTML/JavaScript. Affected version...
CVE-2021-39124
Atlassian Jira Server and Data Center are affected prior to 8.16.0 by a CSRF failure retry feature that lets remote attackers trick a user into retrying a request, bypassing CSRF protection and replaying a crafted request. Affected versions:
CVE-2021-39118
CVE-2021-39118 affects Atlassian Jira Server and Data Center. The vulnerability is an enumeration flaw in the /rest/api/1.0/render endpoint that allows remote attackers to discover usernames and full names of users. Affected versions are those prior to 8.19.0; fixed in 8.19.0. The connected sourc...
CVE-2019-20101
CVE-2019-20101 affects Atlassian Jira Server/Data Center. The vulnerability is a Broken Access Control issue in the endpoint /rest/whitelist//check, allowing anonymous remote attackers to view whitelist rules. Affected versions are before 8.13.3 and 8.14.0 up to 8.14.1. The root cause is improper...
CVE-2021-39123
CVE-2021-39123 affects Atlassian Jira Server and Data Center prior to 8.16.0, where unauthenticated remote attackers can impact availability via DoS on the /rest/gadget/1.0/createdVsResolved/generate endpoint. The vulnerability is triggered in the gadget generation path and is mitigated by upgrad...
CVE-2021-39117
Summary: Atlassian Jira Server and Data Center prior to 8.18.0 are vulnerable to a stored XSS via the Custom Fields creation on the AssociateFieldToScreens page. The root cause is insufficient sanitization of the field name, allowing an attacker to inject arbitrary HTML/JavaScript. Affected versi...