Filtered by vendor Atlassian
Subscriptions
Total
434 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-39118 | 1 Atlassian | 2 Data Center, Jira | 2024-09-17 | 5.3 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. The affected versions are before version 8.19.0. | ||||
| CVE-2020-4022 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-09-17 | 6.1 Medium |
| The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type. | ||||
| CVE-2020-4023 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | 5.4 Medium |
| The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the committerFilter parameter. | ||||
| CVE-2018-13390 | 1 Atlassian | 1 Cloudtoken | 2024-09-17 | N/A |
| Unauthenticated access to cloudtoken daemon on Linux via network from version 0.1.1 before version 0.1.24 allows attackers on the same subnet to gain temporary AWS credentials for the users' roles. | ||||
| CVE-2020-4014 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | 4.3 Medium |
| The /profile/deleteWatch.do resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to remove another user's watching settings for a repository via an improper authorization vulnerability. | ||||
| CVE-2017-9508 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | N/A |
| Various resources in Atlassian Fisheye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file. | ||||
| CVE-2020-36289 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2024-09-17 | 5.3 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1. | ||||
| CVE-2017-18085 | 1 Atlassian | 1 Confluence | 2024-09-17 | N/A |
| The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the key parameter. | ||||
| CVE-2022-36802 | 1 Atlassian | 1 Jira Align | 2024-09-17 | 4.9 Medium |
| The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request. | ||||
| CVE-2019-8443 | 1 Atlassian | 2 Jira, Jira Server | 2024-09-17 | 8.1 High |
| The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability. | ||||
| CVE-2018-5229 | 1 Atlassian | 1 Universal Plugin Manager | 2024-09-17 | N/A |
| The NotificationRepresentationFactoryImpl class in Atlassian Universal Plugin Manager before version 2.22.9 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of user submitted add-on names. | ||||
| CVE-2021-26071 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2024-09-17 | 3.5 Low |
| The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability. | ||||
| CVE-2018-13401 | 1 Atlassian | 2 Jira, Jira Server | 2024-09-17 | N/A |
| The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allows remote attackers to obtain a user's Cross-site request forgery (CSRF) token through an open redirect vulnerability. | ||||
| CVE-2021-26075 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2024-09-17 | 4.3 Medium |
| The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated attackers to obtain the full path of the Jira application data directory via an information disclosure vulnerability in the error message when presented with an invalid filename. | ||||
| CVE-2021-26085 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2024-09-17 | 5.3 Medium |
| Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3. | ||||
| CVE-2017-16863 | 1 Atlassian | 1 Jira | 2024-09-17 | N/A |
| The PieChart gadget in Atlassian Jira before version 7.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a project or filter. | ||||
| CVE-2017-9513 | 1 Atlassian | 1 Activity Streams | 2024-09-17 | N/A |
| Several rest inline action resources of Atlassian Activity Streams before version 6.3.0 allows remote authenticated attackers to watch any Confluence page & receive notifications when comments are added to the watched page, and vote & watch JIRA issues that they do not have access to, although they will not receive notifications for the issue, via missing permission checks. | ||||
| CVE-2021-26084 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2024-09-17 | 9.8 Critical |
| In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. | ||||
| CVE-2021-26069 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2024-09-17 | 5.3 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations API endpoint. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0. | ||||
| CVE-2018-20824 | 1 Atlassian | 1 Jira | 2024-09-17 | N/A |
| The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter. | ||||