Filtered by vendor Atlassian Subscriptions
Total 436 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2021-26073 1 Atlassian 1 Connect Express 2024-11-21 7.7 High
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Express versions from 3.0.2 before 6.6.0 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app.
CVE-2021-26072 1 Atlassian 2 Confluence Data Center, Confluence Server 2024-11-21 4.3 Medium
The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6 allowed remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability.
CVE-2021-26071 1 Atlassian 4 Data Center, Jira, Jira Data Center and 1 more 2024-11-21 3.5 Low
The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability.
CVE-2021-26070 1 Atlassian 3 Data Center, Jira, Jira Server 2024-11-21 7.2 High
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the `makeRequest` gadget resource. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1.
CVE-2021-26069 1 Atlassian 4 Data Center, Jira, Jira Data Center and 1 more 2024-11-21 5.3 Medium
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations API endpoint. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
CVE-2021-26068 1 Atlassian 1 Jira Server For Slack 2024-11-21 8.8 High
An endpoint in Atlassian Jira Server for Slack plugin from version 0.0.3 before version 2.0.15 allows remote attackers to execute arbitrary code via a template injection vulnerability.
CVE-2021-26067 1 Atlassian 1 Bamboo 2024-11-21 5.3 Medium
Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions are before version 7.2.2.
CVE-2020-9344 1 Atlassian 1 Subversion Application Lifecycle Management 2024-11-21 6.1 Medium
Subversion ALM for the enterprise before 8.8.2 allows reflected XSS at multiple locations.
CVE-2020-4029 1 Atlassian 4 Jira, Jira Data Center, Jira Server and 1 more 2024-11-21 4.3 Medium
The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability.
CVE-2020-4028 1 Atlassian 2 Jira, Jira Software Data Center 2024-11-21 5.3 Medium
Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability.
CVE-2020-4027 1 Atlassian 2 Confluence, Confluence Server 2024-11-21 4.7 Medium
Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version 7.4.5, and from version 7.5.0 before 7.5.1.
CVE-2020-4026 1 Atlassian 1 Navigator Links 2024-11-21 4.3 Medium
The CustomAppsRestResource list resource in Atlassian Navigator Links before version 3.3.23, from version 4.0.0 before version 4.3.7, from version 5.0.0 before 5.0.1, and from version 5.1.0 before 5.1.1 allows remote attackers to enumerate all linked applications, including those that are restricted or otherwise hidden, through an incorrect authorization check.
CVE-2020-4025 1 Atlassian 4 Jira, Jira Data Center, Jira Server and 1 more 2024-11-21 4.8 Medium
The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type.
CVE-2020-4024 1 Atlassian 4 Jira, Jira Data Center, Jira Server and 1 more 2024-11-21 5.4 Medium
The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type.
CVE-2020-4023 1 Atlassian 2 Crucible, Fisheye 2024-11-21 5.4 Medium
The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the committerFilter parameter.
CVE-2020-4022 1 Atlassian 4 Jira, Jira Data Center, Jira Server and 1 more 2024-11-21 6.1 Medium
The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type.
CVE-2020-4021 1 Atlassian 4 Jira, Jira Data Center, Jira Server and 1 more 2024-11-21 5.4 Medium
Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view.
CVE-2020-4020 1 Atlassian 1 Companion 2024-11-21 7.2 High
The file downloading functionality in the Atlassian Companion App before version 1.0.0 allows remote attackers, who control a Confluence Server instance that the Companion App is connected to, execute arbitrary .exe files via a Protection Mechanism Failure.
CVE-2020-4019 1 Atlassian 1 Companion 2024-11-21 7.8 High
The file editing functionality in the Atlassian Companion App before version 1.0.0 allows local attackers to have the app run a different executable in place of the app's cmd.exe via a untrusted search path vulnerability.
CVE-2020-4018 1 Atlassian 2 Crucible, Fisheye 2024-11-21 8.8 High
The setup resources in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to complete the setup process via a cross-site request forgery (CSRF) vulnerability.