Filtered by vendor Atlassian
Subscribe
Total
433 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-20402 | 1 Atlassian | 2 Jira, Jira Software Data Center | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability. | |||||
| CVE-2019-20401 | 1 Atlassian | 1 Jira Server | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery (CSRF) vulnerabilities. | |||||
| CVE-2019-20400 | 1 Atlassian | 1 Jira Server | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
| The usage of Tomcat in Jira before version 8.5.2 allows local attackers with permission to write a dll file to a directory in the global path environmental variable can inject code into via a DLL hijacking vulnerability. | |||||
| CVE-2019-20106 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug. | |||||
| CVE-2019-20105 | 1 Atlassian | 1 Application Links | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator's session to access the EditApplinkServlet resource without needing to re-authenticate to pass "WebSudo" in products that support "WebSudo" through an improper access control vulnerability. | |||||
| CVE-2019-20104 | 1 Atlassian | 1 Crowd | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability. | |||||
| CVE-2019-20102 | 1 Atlassian | 1 Confluence Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The attachment-uploading feature in Atlassian Confluence Server from version 6.14.0 through version 6.14.3, and version 6.15.0 before version 6.15.5 allows remote attackers to achieve stored cross-site- scripting (SXSS) via a malicious attachment with a modified `mimeType` parameter. | |||||
| CVE-2019-20101 | 1 Atlassian | 2 Data Center, Jira | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view whitelist rules via a Broken Access Control vulnerability in the /rest/whitelist/<version>/check endpoint. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1. | |||||
| CVE-2019-20100 | 1 Atlassian | 3 Jira, Jira Data Center, Jira Server | 2024-11-21 | 4.3 MEDIUM | 4.7 MEDIUM |
| The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present. | |||||
| CVE-2019-20099 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present. | |||||
| CVE-2019-20098 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present. | |||||
| CVE-2019-20097 | 1 Atlassian | 1 Bitbucket | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the post-receive hook. A remote attacker with permission to clone and push files to a repository on the victim's Bitbucket Server or Bitbucket Data Center instance, can exploit this vulnerability to execute arbitrary commands on the Bitbucket Server or Bitbucket Data Center systems, using a file with specially crafted content. | |||||
| CVE-2019-15053 | 1 Atlassian | 1 Html Include And Replace Macro | 2024-11-21 | 6.0 MEDIUM | 6.8 MEDIUM |
| The "HTML Include and replace macro" plugin before 1.5.0 for Confluence Server allows a bypass of the includeScripts=false XSS protection mechanism via vectors involving an IFRAME element. | |||||
| CVE-2019-15013 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorisation check. | |||||
| CVE-2019-15012 | 1 Atlassian | 1 Bitbucket | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file to the victims Bitbucket Server or Bitbucket Data Center instance using the edit-file endpoint, if the user has Bitbucket Server or Bitbucket Data Center running, and has the permission to write the file at that destination. In some cases, this can result in execution of arbitrary code by the victims Bitbucket Server or Bitbucket Data Center instance. | |||||
| CVE-2019-15011 | 1 Atlassian | 1 Application Links | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The ListEntityLinksServlet resource in Application Links before version 5.0.12, from version 5.1.0 before version 5.2.11, from version 5.3.0 before version 5.3.7, from version 5.4.0 before 5.4.13, and from version 6.0.0 before 6.0.5 disclosed application link information to non-admin users via a missing permissions check. | |||||
| CVE-2019-15010 | 1 Atlassian | 1 Bitbucket | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket Server or Bitbucket Data Center instance. | |||||
| CVE-2019-15009 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The /json/profile/removeStarAjax.do resource in Atlassian Fisheye and Crucible before version 4.8.0 allows remote attackers to remove another user's favourite setting for a project via an improper authorization vulnerability. | |||||
| CVE-2019-15008 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The /plugins/servlet/branchreview resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the reviewedBranch parameter. | |||||
| CVE-2019-15007 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The review resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch. | |||||