Vulnerabilities (CVE)

Filtered by vendor Atlassian Subscribe
Total 405 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-20238 1 Atlassian 1 Crowd 2019-02-26 5.5 MEDIUM 8.1 HIGH
Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability.
CVE-2018-20233 1 Atlassian 1 Universal Plugin Manager 2019-02-06 5.5 MEDIUM 6.5 MEDIUM
The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR.
CVE-2016-10740 1 Atlassian 1 Crowd 2019-01-31 4.0 MEDIUM 4.9 MEDIUM
Various resources in Atlassian Crowd before version 2.10.1 allow remote attackers with administration rights to learn the passwords of configured LDAP directories by examining the responses to requests for these resources.
CVE-2018-1000422 1 Atlassian 1 Crowd2 2019-01-30 4.0 MEDIUM 6.5 MEDIUM
An improper authorization vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java that allows attackers to have Jenkins perform a connection test, connecting to an attacker-specified server with attacker-specified credentials and connection settings.
CVE-2018-13398 1 Atlassian 2 Crucible, Fisheye 2018-12-13 4.3 MEDIUM 6.5 MEDIUM
The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery (CSRF) vulnerability.
CVE-2017-18040 1 Atlassian 1 Bamboo 2018-10-17 3.5 LOW 5.4 MEDIUM
The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
CVE-2018-13394 1 Atlassian 1 Questions For Confluence 2018-10-12 4.3 MEDIUM 6.5 MEDIUM
The acceptAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery (CSRF) vulnerability.
CVE-2018-13393 1 Atlassian 1 Questions For Confluence 2018-10-12 4.3 MEDIUM 6.5 MEDIUM
The convertCommentToAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery (CSRF) vulnerability.
CVE-2016-4320 1 Atlassian 1 Bitbucket 2018-10-12 4.0 MEDIUM 4.3 MEDIUM
Atlassian Bitbucket Server before 4.7.1 allows remote attackers to read the first line of an arbitrary file via a directory traversal attack on the pull requests resource.
CVE-2018-13392 1 Atlassian 2 Crucible, Fisheye 2018-10-10 4.3 MEDIUM 6.1 MEDIUM
Several resources in Atlassian Fisheye and Crucible before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in linked issue keys.
CVE-2017-7357 1 Atlassian 1 Hipchat Server 2018-10-09 6.5 MEDIUM 9.1 CRITICAL
Hipchat Server before 2.2.3 allows remote authenticated users with Server Administrator level privileges to execute arbitrary code by importing a file.
CVE-2016-5229 1 Atlassian 1 Bamboo 2018-10-09 7.5 HIGH 9.8 CRITICAL
Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization.
CVE-2016-6496 1 Atlassian 1 Crowd 2018-10-09 7.5 HIGH 9.8 CRITICAL
The LDAP directory connector in Atlassian Crowd before 2.8.8 and 2.9.x before 2.9.5 allows remote attackers to execute arbitrary code via an LDAP attribute with a crafted serialized Java object, aka LDAP entry poisoning.
CVE-2015-8398 1 Atlassian 1 Confluence 2018-10-09 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.8.17 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to rest/prototype/1/session/check.
CVE-2015-8360 1 Atlassian 1 Bamboo 2018-10-09 7.5 HIGH 9.8 CRITICAL
An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port.
CVE-2015-8361 1 Atlassian 1 Bamboo 2018-10-09 6.4 MEDIUM 9.1 CRITICAL
Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port.
CVE-2015-8399 1 Atlassian 1 Confluence 2018-10-09 4.0 MEDIUM 4.3 MEDIUM
Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action.
CVE-2015-5603 1 Atlassian 1 Hipchat 2018-10-09 6.5 MEDIUM N/A
The HipChat for JIRA plugin before 6.30.0 for Atlassian JIRA allows remote authenticated users to execute arbitrary Java code via unspecified vectors, related to "Velocity Template Injection Vulnerability."
CVE-2014-9757 1 Atlassian 1 Bamboo 2018-10-09 7.5 HIGH 9.8 CRITICAL
The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message.
CVE-2017-18103 1 Atlassian 1 Http Library 2018-09-14 4.3 MEDIUM 4.7 MEDIUM
The atlassian-http library, as used in various Atlassian products, before version 2.0.2 allows remote attackers to spoof web content in the Mozilla Firefox Browser through uploaded files that have a content-type of application/mathml+xml.