Filtered by vendor Atlassian
Subscribe
Total
432 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-8442 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check. | |||||
| CVE-2018-20234 | 1 Atlassian | 1 Sourcetree | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
| There was an argument injection vulnerability in Atlassian Sourcetree for macOS from version 1.2 before version 3.1.1 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. | |||||
| CVE-2018-13396 | 1 Atlassian | 1 Sourcetree | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
| There was an argument injection vulnerability in Sourcetree for macOS from version 1.0b2 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. | |||||
| CVE-2018-1000423 | 1 Atlassian | 1 Crowd2 | 2023-12-10 | 2.1 LOW | 7.8 HIGH |
| An insufficiently protected credentials vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java, CrowdConfigurationService.java that allows attackers with local file system access to obtain the credentials used to connect to Crowd 2. | |||||
| CVE-2016-10740 | 1 Atlassian | 1 Crowd | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
| Various resources in Atlassian Crowd before version 2.10.1 allow remote attackers with administration rights to learn the passwords of configured LDAP directories by examining the responses to requests for these resources. | |||||
| CVE-2018-13397 | 1 Atlassian | 1 Sourcetree | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
| There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. | |||||
| CVE-2018-13395 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved. | |||||
| CVE-2018-13402 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 5.8 MEDIUM | 6.1 MEDIUM |
| Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability. | |||||
| CVE-2018-20240 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
| The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter. | |||||
| CVE-2018-13390 | 1 Atlassian | 1 Cloudtoken | 2023-12-10 | 4.8 MEDIUM | 6.1 MEDIUM |
| Unauthenticated access to cloudtoken daemon on Linux via network from version 0.1.1 before version 0.1.24 allows attackers on the same subnet to gain temporary AWS credentials for the users' roles. | |||||
| CVE-2018-1000418 | 1 Atlassian | 1 Hipchat | 2023-12-10 | 4.0 MEDIUM | 8.8 HIGH |
| An improper authorization vulnerability exists in Jenkins HipChat Plugin 2.2.0 and earlier in HipChatNotifier.java that allows attackers with Overall/Read access to send test notifications to an attacker-specified HipChat server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2018-13404 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 4.0 MEDIUM | 4.1 MEDIUM |
| The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.13.0 before version 7.13.1 allows remote attackers who have administrator rights to determine the existence of internal hosts & open ports and in some cases obtain service information from internal network resources via a Server Side Request Forgery (SSRF) vulnerability. | |||||
| CVE-2017-18103 | 1 Atlassian | 1 Http Library | 2023-12-10 | 4.3 MEDIUM | 4.7 MEDIUM |
| The atlassian-http library, as used in various Atlassian products, before version 2.0.2 allows remote attackers to spoof web content in the Mozilla Firefox Browser through uploaded files that have a content-type of application/mathml+xml. | |||||
| CVE-2018-13392 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Several resources in Atlassian Fisheye and Crucible before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in linked issue keys. | |||||
| CVE-2018-1000422 | 1 Atlassian | 1 Crowd2 | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| An improper authorization vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java that allows attackers to have Jenkins perform a connection test, connecting to an attacker-specified server with attacker-specified credentials and connection settings. | |||||
| CVE-2018-5229 | 1 Atlassian | 1 Universal Plugin Manager | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| The NotificationRepresentationFactoryImpl class in Atlassian Universal Plugin Manager before version 2.22.9 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of user submitted add-on names. | |||||
| CVE-2018-13386 | 1 Atlassian | 1 Sourcetree | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
| There was an argument injection vulnerability in Sourcetree for Windows via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for Windows before version 2.6.9 are affected by this vulnerability. | |||||
| CVE-2018-13398 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery (CSRF) vulnerability. | |||||
| CVE-2018-13401 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 5.8 MEDIUM | 6.1 MEDIUM |
| The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allows remote attackers to obtain a user's Cross-site request forgery (CSRF) token through an open redirect vulnerability. | |||||
| CVE-2018-13391 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote attackers who can access & view an issue to obtain the email address of the reporter and assignee user of an issue despite the configured email visibility setting being set to hidden. | |||||