Filtered by vendor Atlassian
Subscribe
Total
433 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-3395 | 1 Atlassian | 2 Confluence, Confluence Server | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery. | |||||
CVE-2019-15000 | 1 Atlassian | 1 Bitbucket | 2024-02-28 | 6.8 MEDIUM | 9.8 CRITICAL |
The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) allows remote attackers who have permission to access a repository, if public access is enabled for a project or repository then attackers are able to exploit this issue anonymously, to read the contents of arbitrary files on the system and execute commands via injecting additional arguments into git commands. | |||||
CVE-2019-11586 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability. | |||||
CVE-2019-11584 | 1 Atlassian | 1 Jira | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the priority icon url of an issue priority. | |||||
CVE-2019-8446 | 1 Atlassian | 1 Jira Server | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check. | |||||
CVE-2018-20239 | 1 Atlassian | 8 Application Links, Confluence Data Center, Confluence Server and 5 more | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0. | |||||
CVE-2018-20826 | 1 Atlassian | 1 Jira | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check. | |||||
CVE-2019-8448 | 1 Atlassian | 1 Jira Server | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability. | |||||
CVE-2019-15053 | 1 Atlassian | 1 Html Include And Replace Macro | 2024-02-28 | 6.0 MEDIUM | 6.8 MEDIUM |
The "HTML Include and replace macro" plugin before 1.5.0 for Confluence Server allows a bypass of the includeScripts=false XSS protection mechanism via vectors involving an IFRAME element. | |||||
CVE-2019-14999 | 1 Atlassian | 1 Universal Plugin Manager | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
The Uninstall REST endpoint in Atlassian Universal Plugin Manager before version 2.22.19, from version 3.0.0 before version 3.0.3 and from version 4.0.0 before version 4.0.3 allows remote attackers to uninstall plugins using a Cross-Site Request Forgery (CSRF) vulnerability on an authenticated administrator. | |||||
CVE-2019-14994 | 1 Atlassian | 1 Jira Service Desk | 2024-02-28 | 4.3 MEDIUM | 7.5 HIGH |
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before version 4.3.4, and version 4.4.0 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. Note that when the 'Anyone can email the service desk or raise a request in the portal' setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability. | |||||
CVE-2018-20827 | 1 Atlassian | 1 Jira | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter. | |||||
CVE-2018-20824 | 1 Atlassian | 1 Jira | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter. | |||||
CVE-2018-20234 | 1 Atlassian | 1 Sourcetree | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
There was an argument injection vulnerability in Atlassian Sourcetree for macOS from version 1.2 before version 3.1.1 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. | |||||
CVE-2018-20236 | 1 Atlassian | 1 Sourcetree | 2024-02-28 | 9.3 HIGH | 8.8 HIGH |
There was an command injection vulnerability in Sourcetree for Windows from version 0.5a before version 3.0.10 via URI handling. A remote attacker could send a malicious URI to a victim using Sourcetree for Windows to exploit this issue to gain code execution on the system. | |||||
CVE-2019-11585 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 5.8 MEDIUM | 6.1 MEDIUM |
The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect. | |||||
CVE-2019-3396 | 1 Atlassian | 2 Confluence, Confluence Server | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection. | |||||
CVE-2017-18109 | 1 Atlassian | 1 Crowd | 2024-02-28 | 5.8 MEDIUM | 6.1 MEDIUM |
The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect. | |||||
CVE-2019-8444 | 1 Atlassian | 1 Jira Server | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification. | |||||
CVE-2019-8449 | 1 Atlassian | 1 Jira | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability. |