Filtered by vendor Atlassian
Subscribe
Total
433 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-20099 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present. | |||||
| CVE-2019-15009 | 1 Atlassian | 2 Crucible, Fisheye | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| The /json/profile/removeStarAjax.do resource in Atlassian Fisheye and Crucible before version 4.8.0 allows remote attackers to remove another user's favourite setting for a project via an improper authorization vulnerability. | |||||
| CVE-2019-20404 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability. | |||||
| CVE-2019-15007 | 1 Atlassian | 2 Crucible, Fisheye | 2024-02-28 | 3.5 LOW | 4.8 MEDIUM |
| The review resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch. | |||||
| CVE-2019-15006 | 1 Atlassian | 2 Confluence, Confluence Server | 2024-02-28 | 5.8 MEDIUM | 6.5 MEDIUM |
| There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence Previews plugin in Confluence Server and Confluence Data Center communicated with the Companion application via the atlassian-domain-for-localhost-connections-only.com domain name, the DNS A record of which points at 127.0.0.1. Additionally, a signed certificate for the domain was publicly distributed with the Companion application. An attacker in the position to control DNS resolution of their victim could carry out a man-in-the-middle (MITM) attack between Confluence Server (or Confluence Data Center) and the atlassian-domain-for-localhost-connections-only.com domain intended to be used with the Companion application. This certificate has been revoked, however, usage of the atlassian-domain-for-localhost-connections-only.com domain name was still present in Confluence Server and Confluence Data Center. An attacker could perform the described attack by denying their victim access to certificate revocation information, and carry out a man-in-the-middle (MITM) attack to observe files being edited using the Companion application and/or modify them, and access some limited user information. | |||||
| CVE-2019-15010 | 1 Atlassian | 1 Bitbucket | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket Server or Bitbucket Data Center instance. | |||||
| CVE-2019-20403 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| The API in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to determine if a Jira project key exists or not via an information disclosure vulnerability. | |||||
| CVE-2019-20097 | 1 Atlassian | 1 Bitbucket | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the post-receive hook. A remote attacker with permission to clone and push files to a repository on the victim's Bitbucket Server or Bitbucket Data Center instance, can exploit this vulnerability to execute arbitrary commands on the Bitbucket Server or Bitbucket Data Center systems, using a file with specially crafted content. | |||||
| CVE-2019-15013 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorisation check. | |||||
| CVE-2019-3399 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check. | |||||
| CVE-2019-8447 | 1 Atlassian | 1 Jira Server | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability. | |||||
| CVE-2019-11587 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF). | |||||
| CVE-2019-11581 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 9.3 HIGH | 9.8 CRITICAL |
| There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability. | |||||
| CVE-2019-11583 | 1 Atlassian | 1 Jira | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by "Epic Name". | |||||
| CVE-2019-8443 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
| The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability. | |||||
| CVE-2018-20235 | 1 Atlassian | 1 Sourcetree | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
| There was an argument injection vulnerability in Atlassian Sourcetree for Windows from version 0.5a before version 3.0.15 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. | |||||
| CVE-2019-13990 | 5 Apache, Atlassian, Netapp and 2 more | 31 Tomee, Jira Service Management, Active Iq Unified Manager and 28 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. | |||||
| CVE-2019-14998 | 1 Atlassian | 1 Jira Server | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via "cookie tossing" a CSRF cookie from a subdomain of a Jira instance. | |||||
| CVE-2019-15001 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
| The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request. | |||||
| CVE-2019-11588 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability. | |||||