Filtered by vendor Atlassian
Subscribe
Total
433 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-13401 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 5.8 MEDIUM | 6.1 MEDIUM |
The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allows remote attackers to obtain a user's Cross-site request forgery (CSRF) token through an open redirect vulnerability. | |||||
CVE-2018-5229 | 1 Atlassian | 1 Universal Plugin Manager | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
The NotificationRepresentationFactoryImpl class in Atlassian Universal Plugin Manager before version 2.22.9 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of user submitted add-on names. | |||||
CVE-2018-13394 | 1 Atlassian | 1 Questions For Confluence | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
The acceptAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery (CSRF) vulnerability. | |||||
CVE-2018-20232 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting. | |||||
CVE-2018-13400 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 6.5 MEDIUM | 4.7 MEDIUM |
Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers who have obtained access to administrator's session to access certain administrative resources without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability. | |||||
CVE-2018-13402 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 5.8 MEDIUM | 6.1 MEDIUM |
Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability. | |||||
CVE-2018-1000422 | 1 Atlassian | 1 Crowd2 | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
An improper authorization vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java that allows attackers to have Jenkins perform a connection test, connecting to an attacker-specified server with attacker-specified credentials and connection settings. | |||||
CVE-2018-1000423 | 1 Atlassian | 1 Crowd2 | 2024-02-28 | 2.1 LOW | 7.8 HIGH |
An insufficiently protected credentials vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java, CrowdConfigurationService.java that allows attackers with local file system access to obtain the credentials used to connect to Crowd 2. | |||||
CVE-2018-13395 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved. | |||||
CVE-2018-13392 | 1 Atlassian | 2 Crucible, Fisheye | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Several resources in Atlassian Fisheye and Crucible before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in linked issue keys. | |||||
CVE-2018-13387 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
The IncomingMailServers resource in Atlassian JIRA Server before version 7.6.7, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3 and from version 7.10.0 before version 7.10.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter as the fix for CVE-2017-18039 was incomplete. | |||||
CVE-2018-13386 | 1 Atlassian | 1 Sourcetree | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
There was an argument injection vulnerability in Sourcetree for Windows via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for Windows before version 2.6.9 are affected by this vulnerability. | |||||
CVE-2018-13404 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-28 | 4.0 MEDIUM | 4.1 MEDIUM |
The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.13.0 before version 7.13.1 allows remote attackers who have administrator rights to determine the existence of internal hosts & open ports and in some cases obtain service information from internal network resources via a Server Side Request Forgery (SSRF) vulnerability. | |||||
CVE-2018-20240 | 1 Atlassian | 2 Crucible, Fisheye | 2024-02-28 | 3.5 LOW | 4.8 MEDIUM |
The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter. | |||||
CVE-2016-10740 | 1 Atlassian | 1 Crowd | 2024-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
Various resources in Atlassian Crowd before version 2.10.1 allow remote attackers with administration rights to learn the passwords of configured LDAP directories by examining the responses to requests for these resources. | |||||
CVE-2017-18094 | 1 Atlassian | 2 Crucible, Fisheye | 2024-02-28 | 3.5 LOW | 4.8 MEDIUM |
Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allow remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the base path setting of a configured file system repository. | |||||
CVE-2017-18090 | 1 Atlassian | 1 Fisheye | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Various resources in Atlassian Fisheye before version 4.5.1 (the fixed version for 4.5.x) and before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a commit author. | |||||
CVE-2017-18085 | 1 Atlassian | 1 Confluence | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the key parameter. | |||||
CVE-2017-18084 | 1 Atlassian | 1 Confluence | 2024-02-28 | 3.5 LOW | 4.8 MEDIUM |
The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the description of a macro. | |||||
CVE-2017-18033 | 1 Atlassian | 1 Jira | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery (CSRF) vulnerabilities. |