Filtered by vendor Atlassian
Subscribe
Total
433 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-8446 | 1 Atlassian | 1 Jira Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check. | |||||
| CVE-2019-8445 | 1 Atlassian | 1 Jira Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check. | |||||
| CVE-2019-8444 | 1 Atlassian | 1 Jira Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification. | |||||
| CVE-2019-8443 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability. | |||||
| CVE-2019-8442 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check. | |||||
| CVE-2019-3403 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. | |||||
| CVE-2019-3402 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter. | |||||
| CVE-2019-3401 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. | |||||
| CVE-2019-3400 | 1 Atlassian | 1 Jira Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The labels gadget in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jql parameter. | |||||
| CVE-2019-3399 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check. | |||||
| CVE-2019-3398 | 1 Atlassian | 2 Confluence, Confluence Server | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability. | |||||
| CVE-2019-3397 | 1 Atlassian | 1 Bitbucket | 2024-11-21 | 9.0 HIGH | 9.1 CRITICAL |
| Atlassian Bitbucket Data Center licensed instances starting with version 5.13.0 before 5.13.6 (the fixed version for 5.13.x), from 5.14.0 before 5.14.4 (fixed version for 5.14.x), from 5.15.0 before 5.15.3 (fixed version for 5.15.x), from 5.16.0 before 5.16.3 (fixed version for 5.16.x), from 6.0.0 before 6.0.3 (fixed version for 6.0.x), and from 6.1.0 before 6.1.2 (the fixed version for 6.1.x) allow remote attackers who have admin permissions to achieve remote code execution on a Bitbucket server instance via path traversal through the Data Center migration tool. | |||||
| CVE-2019-3396 | 1 Atlassian | 2 Confluence, Confluence Server | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection. | |||||
| CVE-2019-3395 | 1 Atlassian | 2 Confluence, Confluence Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery. | |||||
| CVE-2019-3394 | 1 Atlassian | 2 Confluence, Confluence Server | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
| There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An attacker with permission to editing a page is able to exploit this issue to read arbitrary file on the server under <install-directory>/confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server is configured to use LDAP as user repository. All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability. | |||||
| CVE-2019-20903 | 1 Atlassian | 1 Editor-core | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets. | |||||
| CVE-2019-20902 | 1 Atlassian | 1 Crowd | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1. | |||||
| CVE-2019-20901 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter. | |||||
| CVE-2019-20900 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0. | |||||
| CVE-2019-20899 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1. | |||||