Filtered by vendor Atlassian
Subscribe
Total
439 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1000418 | 1 Atlassian | 1 Hipchat | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
| An improper authorization vulnerability exists in Jenkins HipChat Plugin 2.2.0 and earlier in HipChatNotifier.java that allows attackers with Overall/Read access to send test notifications to an attacker-specified HipChat server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2017-9513 | 1 Atlassian | 1 Activity Streams | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| Several rest inline action resources of Atlassian Activity Streams before version 6.3.0 allows remote authenticated attackers to watch any Confluence page & receive notifications when comments are added to the watched page, and vote & watch JIRA issues that they do not have access to, although they will not receive notifications for the issue, via missing permission checks. | |||||
| CVE-2017-18113 | 1 Atlassian | 2 Data Center, Jira | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow library and other Jira dependencies. Atlassian-made functions or functions provided by 3rd party plugins are not affected by this fix. | |||||
| CVE-2017-18112 | 1 Atlassian | 1 Fisheye | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3. | |||||
| CVE-2017-18111 | 1 Atlassian | 1 Application Links | 2024-11-21 | 5.5 MEDIUM | 8.7 HIGH |
| The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. This allowed malicious oauth application linked applications to probe internal network resources by requesting internal locations, read the contents of files and also cause an out of memory exception affecting availability via an XML External Entity vulnerability. | |||||
| CVE-2017-18110 | 1 Atlassian | 1 Crowd | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability. | |||||
| CVE-2017-18109 | 1 Atlassian | 1 Crowd | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect. | |||||
| CVE-2017-18108 | 1 Atlassian | 1 Crowd | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The administration SMTP configuration resource in Atlassian Crowd before version 2.10.2 allows remote attackers with administration rights to execute arbitrary code via a JNDI injection. | |||||
| CVE-2017-18107 | 1 Atlassian | 1 Crowd | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Various resources in the Crowd Demo application of Atlassian Crowd before version 3.1.1 allow remote attackers to modify add, modify and delete users & groups via a Cross-site request forgery (CSRF) vulnerability. Please be aware that the Demo application is not enabled by default. | |||||
| CVE-2017-18106 | 1 Atlassian | 1 Crowd | 2024-11-21 | 6.0 MEDIUM | 7.5 HIGH |
| The identifier_hash for a session token in Atlassian Crowd before version 2.9.1 could potentially collide with an identifier_hash for another user or a user in a different directory, this allows remote attackers who can authenticate to Crowd or an application using Crowd for authentication to gain access to another user's session provided they can make their identifier hash collide with another user's session identifier hash. | |||||
| CVE-2017-18105 | 1 Atlassian | 1 Crowd | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| The console login resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers, who have previously obtained a user's JSESSIONID cookie, to gain access to some of the built-in and potentially third party rest resources via a session fixation vulnerability. | |||||
| CVE-2017-18104 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should not be sent because they are not contained within the results of a specified JQL query. | |||||
| CVE-2017-18103 | 1 Atlassian | 1 Http Library | 2024-11-21 | 4.3 MEDIUM | 4.7 MEDIUM |
| The atlassian-http library, as used in various Atlassian products, before version 2.0.2 allows remote attackers to spoof web content in the Mozilla Firefox Browser through uploaded files that have a content-type of application/mathml+xml. | |||||
| CVE-2017-18102 | 1 Atlassian | 1 Jira Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The wiki markup component of atlassian-renderer from version 8.0.0 before version 8.0.22 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in nested wiki markup. | |||||
| CVE-2017-18101 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks. | |||||
| CVE-2017-18100 | 1 Atlassian | 1 Jira | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of quick filters. | |||||
| CVE-2017-18098 | 1 Atlassian | 1 Jira | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The searchrequest-xml resource in Atlassian Jira before version 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through various fields. | |||||
| CVE-2017-18097 | 1 Atlassian | 1 Jira | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card. | |||||
| CVE-2017-18096 | 1 Atlassian | 1 Application Links | 2024-11-21 | 4.0 MEDIUM | 7.2 HIGH |
| The OAuth status rest resource in Atlassian Application Links before version 5.2.7, from 5.3.0 before 5.3.4 and from 5.4.0 before 5.4.3 allows remote attackers with administrative rights to access the content of internal network resources via a Server Side Request Forgery (SSRF) by creating an OAuth application link to a location they control and then redirecting access from the linked location's OAuth status rest resource to an internal location. When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information. | |||||
| CVE-2017-18095 | 1 Atlassian | 1 Crucible | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The SnippetRPCServiceImpl class in Atlassian Crucible before version 4.5.1 (the fixed version 4.5.x) and before 4.6.0 allows remote attackers to comment on snippets they do not have authorization to access via an improper authorization vulnerability. | |||||