Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature.
Source: Atlassian
Max CVSS
6.5
EPSS Score
0.06%
Published
2023-05-25
Updated
2023-06-07
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (RXSS) vulnerability in the TeamManagement.jspa endpoint. The affected versions are before version 8.20.8.
Source: Atlassian
Max CVSS
6.1
EPSS Score
0.10%
Published
2022-08-10
Updated
2022-08-12
A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.
Source: Atlassian
Max CVSS
6.5
EPSS Score
2.78%
Published
2022-06-30
Updated
2022-08-04
The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability.
Source: Atlassian
Max CVSS
6.1
EPSS Score
0.12%
Published
2022-03-16
Updated
2022-03-22
Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to add administrator groups to filter subscriptions via a Broken Access Control vulnerability in the /secure/EditSubscription.jspa endpoint. The affected versions are before version 8.13.21, and from version 8.14.0 before 8.20.9.
Source: Atlassian
Max CVSS
6.5
EPSS Score
0.09%
Published
2022-01-05
Updated
2023-02-24
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (XSS) vulnerability in the /rest/collectors/1.0/template/custom endpoint. To exploit this issue, the attacker must trick a user into visiting a malicious website. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.
Source: Atlassian
Max CVSS
6.1
EPSS Score
0.10%
Published
2022-01-04
Updated
2022-03-28
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify several resources (including CsvFieldMappingsPage.jspa and ImporterValueMappingsPage.jspa) via a Cross-Site Request Forgery (CSRF) vulnerability in the jira-importers-plugin. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.
Source: Atlassian
Max CVSS
6.5
EPSS Score
0.08%
Published
2022-02-15
Updated
2022-06-10
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1.
Source: Atlassian
Max CVSS
6.1
EPSS Score
0.10%
Published
2021-11-01
Updated
2021-11-02
Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1.
Source: Atlassian
Max CVSS
6.5
EPSS Score
0.09%
Published
2021-10-26
Updated
2022-08-09
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.2.
Source: Atlassian
Max CVSS
6.1
EPSS Score
0.10%
Published
2021-10-26
Updated
2022-03-30
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify various resources via a Cross-Site Request Forgery (CSRF) vulnerability, following an Information Disclosure vulnerability in the referrer headers which discloses a user's CSRF token. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
Source: Atlassian
Max CVSS
6.5
EPSS Score
0.16%
Published
2021-10-21
Updated
2022-04-15
The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the handling of supplied content such as from a PDF when pasted into a field such as the description field.
Source: Atlassian
Max CVSS
6.1
EPSS Score
0.11%
Published
2021-08-30
Updated
2022-03-30
EditworkflowScheme.jspa in Jira Server and Jira Data Center before version 8.5.14, and from version 8.6.0 before version 8.13.6, and from 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.
Source: Atlassian
Max CVSS
6.1
EPSS Score
0.11%
Published
2021-06-07
Updated
2022-05-05
The CardLayoutConfigTable component in Jira Server and Jira Data Center before version 8.5.15, and from version 8.6.0 before version 8.13.7, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.
Source: Atlassian
Max CVSS
6.1
EPSS Score
0.11%
Published
2021-06-07
Updated
2022-03-30
The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.
Source: Atlassian
Max CVSS
6.1
EPSS Score
0.29%
Published
2021-06-07
Updated
2022-04-22
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Spring Boot versions from version 1.1.0 before version 2.1.3 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app.
Source: Atlassian
Max CVSS
6.5
EPSS Score
0.05%
Published
2021-04-16
Updated
2022-03-01
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused by parameter pollution.
Source: Atlassian
Max CVSS
6.1
EPSS Score
0.11%
Published
2021-04-15
Updated
2022-03-30
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
Source: Atlassian
Max CVSS
6.1
EPSS Score
0.11%
Published
2021-02-15
Updated
2022-03-30
Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0.
Source: Atlassian
Max CVSS
6.5
EPSS Score
0.12%
Published
2021-01-19
Updated
2022-08-30
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from version 8.6.0 before 8.10.2; and from version 8.11.0 before 8.11.1.
Source: Atlassian
Max CVSS
6.5
EPSS Score
0.14%
Published
2020-09-21
Updated
2022-03-28
Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack.
Source: Atlassian
Max CVSS
6.5
EPSS Score
0.48%
Published
2020-07-09
Updated
2020-07-15
The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability
Source: Atlassian
Max CVSS
6.1
EPSS Score
0.11%
Published
2020-07-01
Updated
2020-07-09
The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field.
Source: Atlassian
Max CVSS
6.1
EPSS Score
0.11%
Published
2020-07-01
Updated
2020-07-13
Subversion ALM for the enterprise before 8.8.2 allows reflected XSS at multiple locations.
Source: MITRE
Max CVSS
6.1
EPSS Score
0.21%
Published
2020-03-20
Updated
2020-03-23
Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version 7.4.5, and from version 7.5.0 before 7.5.1.
Source: Atlassian
Max CVSS
6.5
EPSS Score
0.11%
Published
2020-07-01
Updated
2021-12-13
94 vulnerabilities found
1 2 3 4
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!