Filtered by vendor Atlassian
Subscribe
Total
405 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11582 | 1 Atlassian | 1 Sourcetree | 2019-06-17 | 9.3 HIGH | 8.8 HIGH |
| An argument injection vulnerability in Atlassian Sourcetree for Windows's URI handlers, in all versions prior to 3.1.3, allows remote attackers to gain remote code execution through the use of a crafted URI. | |||||
| CVE-2019-3397 | 1 Atlassian | 1 Bitbucket | 2019-06-03 | 9.0 HIGH | 9.1 CRITICAL |
| Atlassian Bitbucket Data Center licensed instances starting with version 5.13.0 before 5.13.6 (the fixed version for 5.13.x), from 5.14.0 before 5.14.4 (fixed version for 5.14.x), from 5.15.0 before 5.15.3 (fixed version for 5.15.x), from 5.16.0 before 5.16.3 (fixed version for 5.16.x), from 6.0.0 before 6.0.3 (fixed version for 6.0.x), and from 6.1.0 before 6.1.2 (the fixed version for 6.1.x) allow remote attackers who have admin permissions to achieve remote code execution on a Bitbucket server instance via path traversal through the Data Center migration tool. | |||||
| CVE-2017-9506 | 1 Atlassian | 1 Oauth | 2019-05-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF). | |||||
| CVE-2018-20824 | 1 Atlassian | 1 Jira | 2019-05-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter. | |||||
| CVE-2015-6576 | 1 Atlassian | 1 Bamboo | 2019-05-03 | 6.5 MEDIUM | 8.8 HIGH |
| Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource. | |||||
| CVE-2017-18041 | 1 Atlassian | 1 Bamboo | 2019-04-30 | 3.5 LOW | 5.4 MEDIUM |
| The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release. | |||||
| CVE-2017-18039 | 1 Atlassian | 1 Jira | 2019-04-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The IncomingMailServers resource in Atlassian Jira from version 6.2.1 before version 7.4.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter. | |||||
| CVE-2017-18042 | 1 Atlassian | 1 Bamboo | 2019-04-29 | 6.8 MEDIUM | 8.8 HIGH |
| The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability. | |||||
| CVE-2017-18086 | 1 Atlassian | 1 Confluence | 2019-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Various resources in Atlassian Confluence Server before version 6.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuesURL parameter. | |||||
| CVE-2017-18085 | 1 Atlassian | 1 Confluence | 2019-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the key parameter. | |||||
| CVE-2017-18084 | 1 Atlassian | 1 Confluence | 2019-04-26 | 3.5 LOW | 4.8 MEDIUM |
| The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the description of a macro. | |||||
| CVE-2017-18081 | 1 Atlassian | 1 Bamboo | 2019-04-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie. | |||||
| CVE-2017-18111 | 1 Atlassian | 1 Application Links | 2019-04-01 | 5.5 MEDIUM | 8.7 HIGH |
| The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. This allowed malicious oauth application linked applications to probe internal network resources by requesting internal locations, read the contents of files and also cause an out of memory exception affecting availability via an XML External Entity vulnerability. | |||||
| CVE-2017-18105 | 1 Atlassian | 1 Crowd | 2019-04-01 | 6.8 MEDIUM | 8.1 HIGH |
| The console login resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers, who have previously obtained a user's JSESSIONID cookie, to gain access to some of the built-in and potentially third party rest resources via a session fixation vulnerability. | |||||
| CVE-2017-18106 | 1 Atlassian | 1 Crowd | 2019-04-01 | 6.0 MEDIUM | 7.5 HIGH |
| The identifier_hash for a session token in Atlassian Crowd before version 2.9.1 could potentially collide with an identifier_hash for another user or a user in a different directory, this allows remote attackers who can authenticate to Crowd or an application using Crowd for authentication to gain access to another user's session provided they can make their identifier hash collide with another user's session identifier hash. | |||||
| CVE-2017-18108 | 1 Atlassian | 1 Crowd | 2019-04-01 | 6.5 MEDIUM | 7.2 HIGH |
| The administration SMTP configuration resource in Atlassian Crowd before version 2.10.2 allows remote attackers with administration rights to execute arbitrary code via a JNDI injection. | |||||
| CVE-2017-18110 | 1 Atlassian | 1 Crowd | 2019-04-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability. | |||||
| CVE-2017-18109 | 1 Atlassian | 1 Crowd | 2019-04-01 | 5.8 MEDIUM | 6.1 MEDIUM |
| The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect. | |||||
| CVE-2018-20240 | 1 Atlassian | 2 Crucible, Fisheye | 2019-02-26 | 3.5 LOW | 4.8 MEDIUM |
| The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter. | |||||
| CVE-2018-20241 | 1 Atlassian | 2 Crucible, Fisheye | 2019-02-26 | 3.5 LOW | 5.4 MEDIUM |
| The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the wbuser parameter. | |||||