Filtered by vendor Atlassian
Subscriptions
Total
436 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-9512 | 1 Atlassian | 2 Crucible, Fisheye | 2024-10-16 | 7.5 High |
| The mostActiveCommitters.do resource in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses of committers, as it lacked permission checks. | ||||
| CVE-2017-8907 | 1 Atlassian | 1 Bamboo | 2024-10-16 | 8.8 High |
| Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo. | ||||
| CVE-2017-9510 | 1 Atlassian | 1 Fisheye | 2024-10-16 | N/A |
| The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters. | ||||
| CVE-2017-9506 | 1 Atlassian | 1 Oauth | 2024-10-16 | N/A |
| The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF). | ||||
| CVE-2017-9505 | 1 Atlassian | 1 Confluence | 2024-10-16 | 4.3 Medium |
| Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself. | ||||
| CVE-2017-9511 | 2 Atlassian, Microsoft | 3 Crucible, Fisheye, Windows | 2024-10-15 | 7.5 High |
| The MultiPathResource class in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to read arbitrary files via a path traversal vulnerability when Fisheye or Crucible is running on the Microsoft Windows operating system. | ||||
| CVE-2019-13990 | 6 Apache, Atlassian, Netapp and 3 more | 35 Tomee, Jira Service Management, Active Iq Unified Manager and 32 more | 2024-10-15 | 9.8 Critical |
| initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. | ||||
| CVE-2017-9509 | 1 Atlassian | 2 Crucible, Fisheye | 2024-10-15 | N/A |
| The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the charset of a previously uploaded file. | ||||
| CVE-2017-9508 | 1 Atlassian | 2 Crucible, Fisheye | 2024-10-15 | N/A |
| Various resources in Atlassian Fisheye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file. | ||||
| CVE-2017-9507 | 1 Atlassian | 2 Crucible, Fisheye | 2024-10-15 | N/A |
| The review dashboard resource in Atlassian Crucible from version 4.1.0 before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the review filter title parameter. | ||||
| CVE-2017-14588 | 1 Atlassian | 2 Crucible, Fisheye | 2024-10-15 | N/A |
| Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter. | ||||
| CVE-2021-39128 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-10-11 | 7.2 High |
| Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Template feature. The affected versions of Jira Server or Data Center are before version 8.13.12, and from version 8.14.0 before 8.19.1. | ||||
| CVE-2021-39127 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-10-11 | 5.3 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1. | ||||
| CVE-2021-39119 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2024-10-11 | 5.3 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after their Jira account is revoked, via a Broken Access Control vulnerability in the issue notification feature. The affected versions are before version 8.19.0. | ||||
| CVE-2021-39115 | 1 Atlassian | 2 Jira Service Desk, Jira Service Management | 2024-10-11 | 7.2 High |
| Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a Server_Side Template Injection vulnerability in the Email Template feature. The affected versions are before version 4.13.9, and from version 4.14.0 before 4.18.0. | ||||
| CVE-2021-39113 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2024-10-11 | 7.5 High |
| Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0. | ||||
| CVE-2021-39109 | 1 Atlassian | 1 Atlasboard | 2024-10-11 | 7.5 High |
| The renderWidgetResource resource in Atlasian Atlasboard before version 1.1.9 allows remote attackers to read arbitrary files via a path traversal vulnerability. | ||||
| CVE-2021-26081 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2024-10-11 | 5.3 Medium |
| REST API in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to enumerate usernames via a Sensitive Data Exposure vulnerability in the `/rest/api/latest/user/avatar/temporary` endpoint. | ||||
| CVE-2021-39117 | 1 Atlassian | 2 Data Center, Jira | 2024-10-11 | 4.8 Medium |
| The AssociateFieldToScreens page in Atlassian Jira Server and Data Center before version 8.18.0 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability via the name of a custom field. | ||||
| CVE-2021-39111 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2024-10-11 | 6.1 Medium |
| The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the handling of supplied content such as from a PDF when pasted into a field such as the description field. | ||||