Vulnerabilities (CVE)

Filtered by vendor Atlassian Subscribe
Total 405 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-11582 1 Atlassian 1 Sourcetree 2019-06-17 9.3 HIGH 8.8 HIGH
An argument injection vulnerability in Atlassian Sourcetree for Windows's URI handlers, in all versions prior to 3.1.3, allows remote attackers to gain remote code execution through the use of a crafted URI.
CVE-2019-3397 1 Atlassian 1 Bitbucket 2019-06-03 9.0 HIGH 9.1 CRITICAL
Atlassian Bitbucket Data Center licensed instances starting with version 5.13.0 before 5.13.6 (the fixed version for 5.13.x), from 5.14.0 before 5.14.4 (fixed version for 5.14.x), from 5.15.0 before 5.15.3 (fixed version for 5.15.x), from 5.16.0 before 5.16.3 (fixed version for 5.16.x), from 6.0.0 before 6.0.3 (fixed version for 6.0.x), and from 6.1.0 before 6.1.2 (the fixed version for 6.1.x) allow remote attackers who have admin permissions to achieve remote code execution on a Bitbucket server instance via path traversal through the Data Center migration tool.
CVE-2017-9506 1 Atlassian 1 Oauth 2019-05-10 4.3 MEDIUM 6.1 MEDIUM
The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
CVE-2018-20824 1 Atlassian 1 Jira 2019-05-06 4.3 MEDIUM 6.1 MEDIUM
The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter.
CVE-2015-6576 1 Atlassian 1 Bamboo 2019-05-03 6.5 MEDIUM 8.8 HIGH
Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.
CVE-2017-18041 1 Atlassian 1 Bamboo 2019-04-30 3.5 LOW 5.4 MEDIUM
The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
CVE-2017-18039 1 Atlassian 1 Jira 2019-04-29 4.3 MEDIUM 6.1 MEDIUM
The IncomingMailServers resource in Atlassian Jira from version 6.2.1 before version 7.4.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter.
CVE-2017-18042 1 Atlassian 1 Bamboo 2019-04-29 6.8 MEDIUM 8.8 HIGH
The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability.
CVE-2017-18086 1 Atlassian 1 Confluence 2019-04-26 4.3 MEDIUM 6.1 MEDIUM
Various resources in Atlassian Confluence Server before version 6.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuesURL parameter.
CVE-2017-18085 1 Atlassian 1 Confluence 2019-04-26 4.3 MEDIUM 6.1 MEDIUM
The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the key parameter.
CVE-2017-18084 1 Atlassian 1 Confluence 2019-04-26 3.5 LOW 4.8 MEDIUM
The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the description of a macro.
CVE-2017-18081 1 Atlassian 1 Bamboo 2019-04-26 4.3 MEDIUM 6.1 MEDIUM
The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie.
CVE-2017-18111 1 Atlassian 1 Application Links 2019-04-01 5.5 MEDIUM 8.7 HIGH
The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. This allowed malicious oauth application linked applications to probe internal network resources by requesting internal locations, read the contents of files and also cause an out of memory exception affecting availability via an XML External Entity vulnerability.
CVE-2017-18105 1 Atlassian 1 Crowd 2019-04-01 6.8 MEDIUM 8.1 HIGH
The console login resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers, who have previously obtained a user's JSESSIONID cookie, to gain access to some of the built-in and potentially third party rest resources via a session fixation vulnerability.
CVE-2017-18106 1 Atlassian 1 Crowd 2019-04-01 6.0 MEDIUM 7.5 HIGH
The identifier_hash for a session token in Atlassian Crowd before version 2.9.1 could potentially collide with an identifier_hash for another user or a user in a different directory, this allows remote attackers who can authenticate to Crowd or an application using Crowd for authentication to gain access to another user's session provided they can make their identifier hash collide with another user's session identifier hash.
CVE-2017-18108 1 Atlassian 1 Crowd 2019-04-01 6.5 MEDIUM 7.2 HIGH
The administration SMTP configuration resource in Atlassian Crowd before version 2.10.2 allows remote attackers with administration rights to execute arbitrary code via a JNDI injection.
CVE-2017-18110 1 Atlassian 1 Crowd 2019-04-01 4.0 MEDIUM 6.5 MEDIUM
The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability.
CVE-2017-18109 1 Atlassian 1 Crowd 2019-04-01 5.8 MEDIUM 6.1 MEDIUM
The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect.
CVE-2018-20240 1 Atlassian 2 Crucible, Fisheye 2019-02-26 3.5 LOW 4.8 MEDIUM
The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter.
CVE-2018-20241 1 Atlassian 2 Crucible, Fisheye 2019-02-26 3.5 LOW 5.4 MEDIUM
The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the wbuser parameter.