Filtered by vendor Atlassian
Subscribe
Total
433 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-18083 | 1 Atlassian | 1 Confluence | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of an uploaded file. | |||||
CVE-2017-18098 | 1 Atlassian | 1 Jira | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
The searchrequest-xml resource in Atlassian Jira before version 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through various fields. | |||||
CVE-2018-5224 | 2 Atlassian, Microsoft | 2 Bamboo, Windows | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked Mercurial repository, or create a plan in Bamboo either globally or in a project using Bamboo Specs can can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system. All versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability. | |||||
CVE-2017-18091 | 1 Atlassian | 2 Crucible, Fisheye | 2024-02-28 | 3.5 LOW | 4.8 MEDIUM |
The admin backupprogress action in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the filename of a backup. | |||||
CVE-2018-5226 | 1 Atlassian | 1 Sourcetree | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
There was an argument injection vulnerability in Sourcetree for Windows via Mercurial repository tag name that is going to be deleted. An attacker with permission to create a tag on a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. All versions of Sourcetree for Windows before 2.5.5.0 are affected by this vulnerability. | |||||
CVE-2017-18100 | 1 Atlassian | 1 Jira | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of quick filters. | |||||
CVE-2017-9513 | 1 Atlassian | 1 Activity Streams | 2024-02-28 | 5.5 MEDIUM | 5.4 MEDIUM |
Several rest inline action resources of Atlassian Activity Streams before version 6.3.0 allows remote authenticated attackers to watch any Confluence page & receive notifications when comments are added to the watched page, and vote & watch JIRA issues that they do not have access to, although they will not receive notifications for the issue, via missing permission checks. | |||||
CVE-2017-16857 | 1 Atlassian | 1 Bitbucket Auto Unapprove Plugin | 2024-02-28 | 6.0 MEDIUM | 8.5 HIGH |
It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end. This allows an attacker to merge any code into unsuspecting repositories. This affects all versions of the auto-unapprove plugin, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket. | |||||
CVE-2017-16856 | 1 Atlassian | 1 Confluence | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) vulnerabilities in various rss properties which were used as links without restriction on their scheme. | |||||
CVE-2017-9508 | 1 Atlassian | 2 Crucible, Fisheye | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
Various resources in Atlassian Fisheye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file. | |||||
CVE-2017-9505 | 1 Atlassian | 1 Confluence | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself. | |||||
CVE-2017-14586 | 1 Atlassian | 1 Hipchat | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
The Hipchat for Mac desktop client is vulnerable to client-side remote code execution via video call link parsing. Hipchat for Mac desktop clients at or above version 4.0 and before version 4.30 are affected by this vulnerability. | |||||
CVE-2017-14587 | 1 Atlassian | 2 Crucible, Fisheye | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
The administration user deletion resource in Atlassian Fisheye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter. | |||||
CVE-2017-9507 | 1 Atlassian | 2 Crucible, Fisheye | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
The review dashboard resource in Atlassian Crucible from version 4.1.0 before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the review filter title parameter. | |||||
CVE-2015-6576 | 1 Atlassian | 1 Bamboo | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource. | |||||
CVE-2017-16864 | 1 Atlassian | 1 Jira | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the orderby parameter. | |||||
CVE-2017-9514 | 1 Atlassian | 1 Bamboo | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo. | |||||
CVE-2017-16862 | 1 Atlassian | 1 Jira | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery (CSRF) vulnerability. | |||||
CVE-2017-16865 | 1 Atlassian | 1 Jira | 2024-02-28 | 3.5 LOW | 5.3 MEDIUM |
The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information. | |||||
CVE-2017-14588 | 1 Atlassian | 2 Crucible, Fisheye | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter. |