Filtered by vendor Atlassian
Subscribe
Total
432 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-5231 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The ForgotLoginDetails resource in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to perform a denial of service attack via sending requests to it. | |||||
CVE-2018-5223 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
Fisheye and Crucible did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to add a repository in Fisheye or Crucible can execute code of their choice on systems that run a vulnerable version of Fisheye or Crucible on the Windows operating system. All versions of Fisheye and Crucible before 4.4.6 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.3 (the fixed version for 4.5.x) are affected by this vulnerability. | |||||
CVE-2017-18087 | 1 Atlassian | 1 Bitbucket | 2023-12-10 | 6.0 MEDIUM | 7.5 HIGH |
The download commit resource in Atlassian Bitbucket Server from version 5.1.0 before version 5.1.7, from version 5.2.0 before version 5.2.5, from version 5.3.0 before version 5.3.3 and from version 5.4.0 before version 5.4.1 allows remote attackers to write files to disk potentially allowing them to gain code execution, exploit CVE-2017-1000117 if a vulnerable version of git is in use, and or determine if an internal service exists via an argument injection vulnerability in the at parameter. | |||||
CVE-2015-6569 | 1 Atlassian | 1 Floodlight | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
Race condition in the LoadBalancer module in the Atlassian Floodlight Controller before 1.2 allows remote attackers to cause a denial of service (NULL pointer dereference and thread crash) via a state manipulation attack. | |||||
CVE-2017-14593 | 1 Atlassian | 1 Sourcetree | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
Sourcetree for Windows had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. From version 0.8.4b of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler. Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability | |||||
CVE-2018-5226 | 1 Atlassian | 1 Sourcetree | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
There was an argument injection vulnerability in Sourcetree for Windows via Mercurial repository tag name that is going to be deleted. An attacker with permission to create a tag on a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. All versions of Sourcetree for Windows before 2.5.5.0 are affected by this vulnerability. | |||||
CVE-2017-18034 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch. | |||||
CVE-2017-18091 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
The admin backupprogress action in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the filename of a backup. | |||||
CVE-2018-5230 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the error message of custom fields when an invalid value is specified. | |||||
CVE-2017-18102 | 1 Atlassian | 1 Jira Server | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
The wiki markup component of atlassian-renderer from version 8.0.0 before version 8.0.22 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in nested wiki markup. | |||||
CVE-2017-16858 | 1 Atlassian | 1 Crowd | 2023-12-10 | 4.9 MEDIUM | 6.8 MEDIUM |
The 'crowd-application' plugin module (notably used by the Google Apps plugin) in Atlassian Crowd from version 1.5.0 before version 3.1.2 allowed an attacker to impersonate a Crowd user in REST requests by being able to authenticate to a directory bound to an application using the feature. Given the following situation: the Crowd application is bound to directory 1 and has a user called admin and the Google Apps application is bound to directory 2, which also has a user called admin, it was possible to authenticate REST requests using the credentials of the user coming from directory 2 and impersonate the user from directory 1. | |||||
CVE-2017-16861 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
It was possible for double OGNL evaluation in certain redirect action and in WebWork URL and Anchor tags in JSP files to occur. An attacker who can access the web interface of Fisheye or Crucible or who hosts a website that a user who can access the web interface of Fisheye or Crucible visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Fisheye or Crucible. All versions of Fisheye and Crucible before 4.4.5 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.2 (the fixed version for 4.5.x) are affected by this vulnerability. | |||||
CVE-2017-18100 | 1 Atlassian | 1 Jira | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of quick filters. | |||||
CVE-2017-18101 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 6.4 MEDIUM | 6.5 MEDIUM |
Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks. | |||||
CVE-2017-18080 | 1 Atlassian | 1 Bamboo | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability. | |||||
CVE-2017-18041 | 1 Atlassian | 1 Bamboo | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release. | |||||
CVE-2017-16859 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
The review attachment resource in Atlassian Fisheye and Crucible before version 4.3.2, from version 4.4.0 before 4.4.3 and before version 4.5.0 allows remote attackers to read files contained within context path of the running application through a path traversal vulnerability in the command parameter. | |||||
CVE-2018-5225 | 1 Atlassian | 1 Bitbucket | 2023-12-10 | 6.5 MEDIUM | 9.9 CRITICAL |
In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13.0 through 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x), and 5.8.0 before 5.8.2 (the fixed version for 5.8.x), allows authenticated users to gain remote code execution using the in browser editing feature via editing a symbolic link within a repository. | |||||
CVE-2017-18097 | 1 Atlassian | 1 Jira | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card. | |||||
CVE-2017-16860 | 1 Atlassian | 1 Application Links | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
The invalidRedirectUrl template in Atlassian Application Links before version 5.2.7, from version 5.3.0 before version 5.3.4 and from version 5.4.0 before version 5.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the redirectUrl parameter link in the redirect warning message. |