Filtered by vendor Atlassian
Subscribe
Total
433 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-14997 | 1 Atlassian | 1 Jira Server | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
The AccessLogFilter class in Jira before version 8.4.0 allows remote anonymous attackers to learn details about other users, including their username, via an information expose through caching vulnerability when Jira is configured with a reverse Proxy and or a load balancer with caching or a CDN. | |||||
CVE-2019-14995 | 1 Atlassian | 1 Jira Server | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to determine if an attachment with a specific name exists and if an issue key is valid via a missing permissions check. | |||||
CVE-2019-3400 | 1 Atlassian | 1 Jira Server | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
The labels gadget in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jql parameter. | |||||
CVE-2019-11580 | 1 Atlassian | 1 Crowd | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability. | |||||
CVE-2019-3398 | 1 Atlassian | 2 Confluence, Confluence Server | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability. | |||||
CVE-2017-18110 | 1 Atlassian | 1 Crowd | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability. | |||||
CVE-2019-3402 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter. | |||||
CVE-2017-18108 | 1 Atlassian | 1 Crowd | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
The administration SMTP configuration resource in Atlassian Crowd before version 2.10.2 allows remote attackers with administration rights to execute arbitrary code via a JNDI injection. | |||||
CVE-2019-8451 | 1 Atlassian | 1 Jira Server | 2024-02-28 | 6.4 MEDIUM | 6.5 MEDIUM |
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class. | |||||
CVE-2019-8445 | 1 Atlassian | 1 Jira Server | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check. | |||||
CVE-2019-8442 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check. | |||||
CVE-2019-3394 | 1 Atlassian | 2 Confluence, Confluence Server | 2024-02-28 | 4.0 MEDIUM | 8.8 HIGH |
There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An attacker with permission to editing a page is able to exploit this issue to read arbitrary file on the server under <install-directory>/confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server is configured to use LDAP as user repository. All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability. | |||||
CVE-2019-8450 | 1 Atlassian | 1 Jira Server | 2024-02-28 | 3.5 LOW | 4.8 MEDIUM |
Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a custom field. | |||||
CVE-2019-3397 | 1 Atlassian | 1 Bitbucket | 2024-02-28 | 9.0 HIGH | 9.1 CRITICAL |
Atlassian Bitbucket Data Center licensed instances starting with version 5.13.0 before 5.13.6 (the fixed version for 5.13.x), from 5.14.0 before 5.14.4 (fixed version for 5.14.x), from 5.15.0 before 5.15.3 (fixed version for 5.15.x), from 5.16.0 before 5.16.3 (fixed version for 5.16.x), from 6.0.0 before 6.0.3 (fixed version for 6.0.x), and from 6.1.0 before 6.1.2 (the fixed version for 6.1.x) allow remote attackers who have admin permissions to achieve remote code execution on a Bitbucket server instance via path traversal through the Data Center migration tool. | |||||
CVE-2019-14996 | 1 Atlassian | 1 Jira Server | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter. | |||||
CVE-2017-18111 | 1 Atlassian | 1 Application Links | 2024-02-28 | 5.5 MEDIUM | 8.7 HIGH |
The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. This allowed malicious oauth application linked applications to probe internal network resources by requesting internal locations, read the contents of files and also cause an out of memory exception affecting availability via an XML External Entity vulnerability. | |||||
CVE-2019-11582 | 1 Atlassian | 1 Sourcetree | 2024-02-28 | 9.3 HIGH | 8.8 HIGH |
An argument injection vulnerability in Atlassian Sourcetree for Windows's URI handlers, in all versions prior to 3.1.3, allows remote attackers to gain remote code execution through the use of a crafted URI. | |||||
CVE-2019-3401 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. | |||||
CVE-2019-11589 | 1 Atlassian | 1 Jira Server | 2024-02-28 | 5.8 MEDIUM | 6.1 MEDIUM |
The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability. | |||||
CVE-2019-3403 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. |