| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2021-26071 |
352 |
|
CSRF |
2021-04-01 |
2021-04-05 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability. |
|
2 |
CVE-2020-36234 |
79 |
|
XSS |
2021-02-15 |
2021-02-18 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0. |
|
3 |
CVE-2020-29444 |
79 |
|
XSS |
2021-05-07 |
2021-05-13 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Affected versions of Team Calendar in Confluence Server before 7.11.0 allow attackers to inject arbitrary HTML or Javascript via a Cross Site Scripting Vulnerability in admin global setting parameters. |
|
4 |
CVE-2020-14184 |
79 |
|
XSS |
2020-10-12 |
2020-10-26 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in Jira issue filter export files. The affected versions are before 8.5.9, from version 8.6.0 before 8.12.3, and from version 8.13.0 before 8.13.1. |
|
5 |
CVE-2020-14175 |
79 |
|
XSS |
2020-07-24 |
2020-07-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in user macro parameters. The affected versions are before version 7.4.2, and from version 7.5.0 before 7.5.2. |
|
6 |
CVE-2020-14173 |
79 |
|
XSS |
2020-07-03 |
2020-07-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1. |
|
7 |
CVE-2020-14166 |
79 |
|
XSS |
2020-07-01 |
2021-04-07 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file. |
|
8 |
CVE-2020-4025 |
79 |
|
XSS |
2020-07-01 |
2020-07-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type. |
|
9 |
CVE-2020-4024 |
79 |
|
XSS |
2020-07-01 |
2020-07-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type. |
|
10 |
CVE-2020-4021 |
79 |
|
XSS |
2020-06-01 |
2020-07-13 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view. |
|
11 |
CVE-2020-4013 |
79 |
|
XSS |
2020-06-01 |
2020-06-02 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The review resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the review objectives. |
|
12 |
CVE-2019-20903 |
79 |
|
XSS |
2020-10-01 |
2020-10-05 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets. |
|
13 |
CVE-2019-20900 |
79 |
|
XSS |
2020-07-13 |
2020-07-13 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0. |
|
14 |
CVE-2019-20416 |
79 |
|
XSS |
2020-06-30 |
2020-07-07 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0. |
|
15 |
CVE-2019-20414 |
79 |
|
XSS |
2020-06-29 |
2020-07-07 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2. |
|
16 |
CVE-2019-15007 |
79 |
|
XSS |
2019-12-11 |
2019-12-12 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The review resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch. |
|
17 |
CVE-2019-8450 |
79 |
|
XSS |
2019-09-11 |
2019-09-11 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a custom field. |
|
18 |
CVE-2019-8444 |
79 |
|
XSS |
2019-08-23 |
2019-09-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification. |
|
19 |
CVE-2018-20827 |
79 |
|
XSS |
2019-08-09 |
2019-08-13 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter. |
|
20 |
CVE-2018-20241 |
79 |
|
XSS |
2019-02-20 |
2019-02-26 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the wbuser parameter. |
|
21 |
CVE-2018-20240 |
79 |
|
XSS |
2019-02-20 |
2019-02-26 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter. |
|
22 |
CVE-2018-20239 |
79 |
|
XSS |
2019-04-30 |
2019-05-29 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0. |
|
23 |
CVE-2018-20232 |
79 |
|
XSS |
2019-02-13 |
2019-02-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting. |
|
24 |
CVE-2018-13403 |
79 |
|
XSS |
2019-02-13 |
2019-02-14 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a saved filter when displayed on a Jira dashboard. |
|
25 |
CVE-2018-13388 |
79 |
|
XSS |
2018-07-10 |
2018-09-04 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The review attachment resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in attached files. |
|
26 |
CVE-2018-5229 |
79 |
|
XSS |
2018-07-16 |
2018-09-12 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The NotificationRepresentationFactoryImpl class in Atlassian Universal Plugin Manager before version 2.22.9 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of user submitted add-on names. |
|
27 |
CVE-2018-5227 |
79 |
|
XSS |
2018-04-10 |
2018-05-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Various administrative application link resources in Atlassian Application Links before version 5.4.4 allow remote attackers with administration rights to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the display url of a configured application link. |
|
28 |
CVE-2017-18102 |
79 |
|
XSS |
2018-04-17 |
2019-10-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The wiki markup component of atlassian-renderer from version 8.0.0 before version 8.0.22 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in nested wiki markup. |
|
29 |
CVE-2017-18097 |
79 |
|
XSS |
2018-04-06 |
2018-05-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card. |
|
30 |
CVE-2017-18094 |
79 |
|
XSS |
2018-03-22 |
2018-04-18 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allow remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the base path setting of a configured file system repository. |
|
31 |
CVE-2017-18093 |
79 |
|
XSS |
2018-02-19 |
2018-03-12 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allow remote attackers who have permission to add or modify a repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the location setting of a configured repository. |
|
32 |
CVE-2017-18092 |
79 |
|
XSS |
2018-02-19 |
2018-03-12 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The print snippet resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of a comment on the snippet. |
|
33 |
CVE-2017-18091 |
79 |
|
XSS |
2018-02-16 |
2018-03-06 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The admin backupprogress action in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the filename of a backup. |
|
34 |
CVE-2017-18089 |
79 |
|
XSS |
2018-02-16 |
2018-03-06 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The view review history resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the invited reviewers for a review. |
|
35 |
CVE-2017-18084 |
79 |
|
XSS |
2018-02-02 |
2019-04-26 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the description of a macro. |
|
36 |
CVE-2017-18083 |
79 |
|
XSS |
2018-02-02 |
2018-02-15 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of an uploaded file. |
|
37 |
CVE-2017-18082 |
79 |
|
XSS |
2018-02-02 |
2018-02-13 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch. |
|
38 |
CVE-2017-18041 |
79 |
|
XSS |
2018-02-02 |
2019-04-30 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release. |
|
39 |
CVE-2017-18040 |
79 |
|
XSS |
2018-02-02 |
2018-10-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release. |
|
40 |
CVE-2017-18034 |
79 |
|
XSS |
2018-02-02 |
2020-11-25 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch. |
|
41 |
CVE-2017-16865 |
918 |
|
|
2018-01-17 |
2018-02-02 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
|
The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information. |
|
42 |
CVE-2017-14587 |
79 |
|
XSS |
2017-10-11 |
2020-11-25 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The administration user deletion resource in Atlassian Fisheye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter. |
|
43 |
CVE-2017-9510 |
79 |
|
XSS |
2017-08-24 |
2020-11-25 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters. |
|
44 |
CVE-2017-9509 |
79 |
|
XSS |
2017-08-24 |
2018-01-31 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the charset of a previously uploaded file. |
|
45 |
CVE-2017-9508 |
79 |
|
XSS |
2017-08-24 |
2020-11-25 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Various resources in Atlassian Fisheye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file. |
|
46 |
CVE-2017-9507 |
79 |
|
XSS |
2017-08-24 |
2018-01-31 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The review dashboard resource in Atlassian Crucible from version 4.1.0 before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the review filter title parameter. |
|
47 |
CVE-2016-4318 |
79 |
|
XSS |
2017-04-10 |
2018-02-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name. |
|
48 |
CVE-2016-4317 |
79 |
|
XSS |
2017-04-10 |
2018-02-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile.action page. |
|
49 |
CVE-2015-8481 |
200 |
|
+Info |
2016-01-08 |
2016-01-13 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
|
Atlassian JIRA Software 7.0.3, JIRA Core 7.0.3, and the bundled JIRA Service Desk 3.0.3 installer attaches the wrong image to e-mail notifications when a user views an issue with inline wiki markup referencing an image attachment, which might allow remote attackers to obtain sensitive information by updating a different issue that includes wiki markup for an external image reference. |
|
50 |
CVE-2012-1500 |
79 |
|
XSS |
2020-02-13 |
2020-02-24 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Stored XSS vulnerability in UpdateFieldJson.jspa in JIRA 4.4.3 and GreenHopper before 5.9.8 allows an attacker to inject arbitrary script code. |
