Total
144 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-20824 | 1 Atlassian | 1 Jira | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter. | |||||
| CVE-2018-20232 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting. | |||||
| CVE-2018-13404 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 4.0 MEDIUM | 4.1 MEDIUM |
| The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.13.0 before version 7.13.1 allows remote attackers who have administrator rights to determine the existence of internal hosts & open ports and in some cases obtain service information from internal network resources via a Server Side Request Forgery (SSRF) vulnerability. | |||||
| CVE-2018-13403 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a saved filter when displayed on a Jira dashboard. | |||||
| CVE-2018-13402 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability. | |||||
| CVE-2018-13401 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allows remote attackers to obtain a user's Cross-site request forgery (CSRF) token through an open redirect vulnerability. | |||||
| CVE-2018-13400 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 6.5 MEDIUM | 4.7 MEDIUM |
| Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers who have obtained access to administrator's session to access certain administrative resources without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability. | |||||
| CVE-2018-13395 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved. | |||||
| CVE-2018-13391 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote attackers who can access & view an issue to obtain the email address of the reporter and assignee user of an issue despite the configured email visibility setting being set to hidden. | |||||
| CVE-2018-13387 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The IncomingMailServers resource in Atlassian JIRA Server before version 7.6.7, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3 and from version 7.10.0 before version 7.10.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter as the fix for CVE-2017-18039 was incomplete. | |||||
| CVE-2017-5983 | 1 Atlassian | 1 Jira | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object. | |||||
| CVE-2017-18113 | 1 Atlassian | 2 Data Center, Jira | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow library and other Jira dependencies. Atlassian-made functions or functions provided by 3rd party plugins are not affected by this fix. | |||||
| CVE-2017-18104 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should not be sent because they are not contained within the results of a specified JQL query. | |||||
| CVE-2017-18101 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks. | |||||
| CVE-2017-18100 | 1 Atlassian | 1 Jira | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of quick filters. | |||||
| CVE-2017-18098 | 1 Atlassian | 1 Jira | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The searchrequest-xml resource in Atlassian Jira before version 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through various fields. | |||||
| CVE-2017-18097 | 1 Atlassian | 1 Jira | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card. | |||||
| CVE-2017-18039 | 1 Atlassian | 1 Jira | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The IncomingMailServers resource in Atlassian Jira from version 6.2.1 before version 7.4.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter. | |||||
| CVE-2017-18033 | 1 Atlassian | 1 Jira | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery (CSRF) vulnerabilities. | |||||
| CVE-2017-16865 | 1 Atlassian | 1 Jira | 2024-11-21 | 3.5 LOW | 5.3 MEDIUM |
| The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information. | |||||