Filtered by vendor Atlassian
Subscriptions
Total
434 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-36232 | 1 Atlassian | 4 Atlassian-gadgets, Data Center, Jira Data Center and 1 more | 2024-09-17 | 5.0 Medium |
| The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled. | ||||
| CVE-2021-26079 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2024-09-17 | 6.1 Medium |
| The CardLayoutConfigTable component in Jira Server and Jira Data Center before version 8.5.15, and from version 8.6.0 before version 8.13.7, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. | ||||
| CVE-2021-39123 | 1 Atlassian | 2 Data Center, Jira | 2024-09-17 | 7.5 High |
| Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the /rest/gadget/1.0/createdVsResolved/generate endpoint. The affected versions are before version 8.16.0. | ||||
| CVE-2019-15006 | 1 Atlassian | 2 Confluence, Confluence Server | 2024-09-17 | 6.5 Medium |
| There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence Previews plugin in Confluence Server and Confluence Data Center communicated with the Companion application via the atlassian-domain-for-localhost-connections-only.com domain name, the DNS A record of which points at 127.0.0.1. Additionally, a signed certificate for the domain was publicly distributed with the Companion application. An attacker in the position to control DNS resolution of their victim could carry out a man-in-the-middle (MITM) attack between Confluence Server (or Confluence Data Center) and the atlassian-domain-for-localhost-connections-only.com domain intended to be used with the Companion application. This certificate has been revoked, however, usage of the atlassian-domain-for-localhost-connections-only.com domain name was still present in Confluence Server and Confluence Data Center. An attacker could perform the described attack by denying their victim access to certificate revocation information, and carry out a man-in-the-middle (MITM) attack to observe files being edited using the Companion application and/or modify them, and access some limited user information. | ||||
| CVE-2018-13389 | 1 Atlassian | 1 Confluence | 2024-09-17 | N/A |
| The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of application/rdf+xml. | ||||
| CVE-2021-26073 | 1 Atlassian | 1 Connect Express | 2024-09-17 | 7.7 High |
| Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Express versions from 3.0.2 before 6.6.0 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app. | ||||
| CVE-2018-13400 | 1 Atlassian | 2 Jira, Jira Server | 2024-09-17 | N/A |
| Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers who have obtained access to administrator's session to access certain administrative resources without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability. | ||||
| CVE-2021-26077 | 1 Atlassian | 1 Connect Spring Boot | 2024-09-17 | 8.8 High |
| Broken Authentication in Atlassian Connect Spring Boot (ACSB) in version 1.1.0 before 2.1.3 and from version 2.1.4 before 2.1.5: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Spring Boot versions 1.1.0 before 2.1.3 and versions 2.1.4 before 2.1.5 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app. | ||||
| CVE-2019-8449 | 1 Atlassian | 1 Jira | 2024-09-17 | 5.3 Medium |
| The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability. | ||||
| CVE-2019-3403 | 1 Atlassian | 2 Jira, Jira Server | 2024-09-17 | 5.3 Medium |
| The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. | ||||
| CVE-2020-14177 | 1 Atlassian | 1 Jira Server | 2024-09-17 | 6.5 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from version 8.6.0 before 8.10.2; and from version 8.11.0 before 8.11.1. | ||||
| CVE-2020-14167 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-09-17 | 7.5 High |
| The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application's availability via an Denial of Service (DoS) vulnerability. | ||||
| CVE-2021-41313 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-09-17 | 4.3 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the /secure/admin/ConfigureBatching!default.jspa endpoint. The affected versions are before version 8.20.7. | ||||
| CVE-2017-14588 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | N/A |
| Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter. | ||||
| CVE-2013-5319 | 1 Atlassian | 1 Jira | 2024-09-17 | N/A |
| Cross-site scripting (XSS) vulnerability in secure/admin/user/views/deleteuserconfirm.jsp in the Admin Panel in Atlassian JIRA before 6.0.5 allows remote attackers to inject arbitrary web script or HTML via the name parameter to secure/admin/user/DeleteUser!default.jspa. | ||||
| CVE-2018-5228 | 1 Atlassian | 2 Crucible, Fisheye | 2024-09-17 | N/A |
| The /browse/~raw resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the handling of response headers. | ||||
| CVE-2022-0540 | 1 Atlassian | 3 Jira Data Center, Jira Server, Jira Service Management | 2024-09-17 | 9.8 Critical |
| A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0. | ||||
| CVE-2019-20415 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-09-17 | 4.3 Medium |
| Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before 8.1.0. | ||||
| CVE-2021-43947 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2024-09-17 | 7.2 High |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3. | ||||
| CVE-2019-20407 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-09-17 | 4.3 Medium |
| The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check. | ||||