Filtered by vendor Atlassian
Subscriptions
Total
436 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2019-8450 | 1 Atlassian | 1 Jira Server | 2024-11-21 | 4.8 Medium |
Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a custom field. | ||||
CVE-2019-8449 | 1 Atlassian | 1 Jira | 2024-11-21 | 5.3 Medium |
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability. | ||||
CVE-2019-8448 | 1 Atlassian | 1 Jira Server | 2024-11-21 | N/A |
The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability. | ||||
CVE-2019-8447 | 1 Atlassian | 1 Jira Server | 2024-11-21 | N/A |
The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability. | ||||
CVE-2019-8446 | 1 Atlassian | 1 Jira Server | 2024-11-21 | 5.3 Medium |
The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check. | ||||
CVE-2019-8445 | 1 Atlassian | 1 Jira Server | 2024-11-21 | 5.3 Medium |
Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check. | ||||
CVE-2019-8444 | 1 Atlassian | 1 Jira Server | 2024-11-21 | 5.4 Medium |
The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification. | ||||
CVE-2019-8443 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 8.1 High |
The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability. | ||||
CVE-2019-8442 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 7.5 High |
The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check. | ||||
CVE-2019-3403 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 5.3 Medium |
The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. | ||||
CVE-2019-3402 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | N/A |
The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter. | ||||
CVE-2019-3401 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 5.3 Medium |
The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. | ||||
CVE-2019-3400 | 1 Atlassian | 1 Jira Server | 2024-11-21 | 6.1 Medium |
The labels gadget in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jql parameter. | ||||
CVE-2019-3399 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 7.5 High |
The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check. | ||||
CVE-2019-3398 | 1 Atlassian | 2 Confluence, Confluence Server | 2024-11-21 | 8.8 High |
Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability. | ||||
CVE-2019-3397 | 1 Atlassian | 1 Bitbucket | 2024-11-21 | N/A |
Atlassian Bitbucket Data Center licensed instances starting with version 5.13.0 before 5.13.6 (the fixed version for 5.13.x), from 5.14.0 before 5.14.4 (fixed version for 5.14.x), from 5.15.0 before 5.15.3 (fixed version for 5.15.x), from 5.16.0 before 5.16.3 (fixed version for 5.16.x), from 6.0.0 before 6.0.3 (fixed version for 6.0.x), and from 6.1.0 before 6.1.2 (the fixed version for 6.1.x) allow remote attackers who have admin permissions to achieve remote code execution on a Bitbucket server instance via path traversal through the Data Center migration tool. | ||||
CVE-2019-3396 | 1 Atlassian | 2 Confluence, Confluence Server | 2024-11-21 | 9.8 Critical |
The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection. | ||||
CVE-2019-3395 | 1 Atlassian | 2 Confluence, Confluence Server | 2024-11-21 | N/A |
The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery. | ||||
CVE-2019-3394 | 1 Atlassian | 2 Confluence, Confluence Server | 2024-11-21 | N/A |
There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An attacker with permission to editing a page is able to exploit this issue to read arbitrary file on the server under <install-directory>/confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server is configured to use LDAP as user repository. All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability. | ||||
CVE-2019-20903 | 1 Atlassian | 1 Editor-core | 2024-11-21 | 5.4 Medium |
The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets. |