Vulnerabilities (CVE)

Filtered by vendor Atlassian Subscribe
Total 398 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-18083 1 Atlassian 1 Confluence 2018-02-15 3.5 LOW 5.4 MEDIUM
The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of an uploaded file.
CVE-2017-18038 1 Atlassian 1 Bitbucket 2018-02-14 5.0 MEDIUM 5.3 MEDIUM
The repository settings resource in Atlassian Bitbucket Server before version 5.6.0 allows remote attackers to read the first line of arbitrary files via a path traversal vulnerability through the default branch name.
CVE-2017-18082 1 Atlassian 1 Bamboo 2018-02-13 3.5 LOW 5.4 MEDIUM
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch.
CVE-2017-18080 1 Atlassian 1 Bamboo 2018-02-13 6.8 MEDIUM 8.8 HIGH
The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability.
CVE-2017-18033 1 Atlassian 1 Jira 2018-02-05 4.3 MEDIUM 6.5 MEDIUM
The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery (CSRF) vulnerabilities.
CVE-2017-16863 1 Atlassian 1 Jira 2018-02-05 4.3 MEDIUM 6.1 MEDIUM
The PieChart gadget in Atlassian Jira before version 7.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a project or filter.
CVE-2017-16865 1 Atlassian 1 Jira 2018-02-02 3.5 LOW 5.3 MEDIUM
The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information.
CVE-2017-16864 1 Atlassian 1 Jira 2018-01-31 4.3 MEDIUM 6.1 MEDIUM
The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the orderby parameter.
CVE-2017-16862 1 Atlassian 1 Jira 2018-01-31 4.3 MEDIUM 4.3 MEDIUM
The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery (CSRF) vulnerability.
CVE-2017-9507 1 Atlassian 2 Crucible, Fisheye 2018-01-31 3.5 LOW 5.4 MEDIUM
The review dashboard resource in Atlassian Crucible from version 4.1.0 before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the review filter title parameter.
CVE-2017-9509 1 Atlassian 2 Crucible, Fisheye 2018-01-31 3.5 LOW 5.4 MEDIUM
The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the charset of a previously uploaded file.
CVE-2017-14589 1 Atlassian 1 Bamboo 2018-01-10 6.8 MEDIUM 9.6 CRITICAL
It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.
CVE-2017-14585 1 Atlassian 2 Hipchat Data Center, Hipchat Server 2017-12-20 9.0 HIGH 7.2 HIGH
A Server Side Request Forgery (SSRF) vulnerability could lead to remote code execution for authenticated administrators. This issue was introduced in version 2.2.0 of Hipchat Server and version 3.0.0 of Hipchat Data Center. Versions of Hipchat Server starting with 2.2.0 and before 2.2.6 are affected by this vulnerability. Versions of Hipchat Data Center starting with 3.0.0 and before 3.1.0 are affected.
CVE-2017-14591 1 Atlassian 2 Crucible, Fisheye 2017-12-20 9.3 HIGH 9.0 CRITICAL
Atlassian Fisheye and Crucible versions less than 4.4.3 and version 4.5.0 are vulnerable to argument injection through filenames in Mercurial repositories, allowing attackers to execute arbitrary code on a system running the impacted software.
CVE-2017-16856 1 Atlassian 1 Confluence 2017-12-19 4.3 MEDIUM 6.1 MEDIUM
The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) vulnerabilities in various rss properties which were used as links without restriction on their scheme.
CVE-2012-2927 2 Atlassian, Tm Software 4 Jira, Tempo, Tempo6.3.0 and 1 more 2017-08-29 4.0 MEDIUM N/A
The TM Software Tempo plugin before 6.4.3.1, 6.5.x before 6.5.0.2, and 7.x before 7.0.3 for Atlassian JIRA does not properly restrict the capabilities of third-party XML parsers, which allows remote authenticated users to cause a denial of service (resource consumption) via unspecified vectors.
CVE-2011-4822 1 Atlassian 1 Fisheye 2017-08-29 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in the user profile feature in Atlassian FishEye before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via (1) snippets in a user comment, which is not properly handled in a Confluence page, or (2) the user profile display name, which is not properly handled in a FishEye page.
CVE-2010-1164 1 Atlassian 1 Jira 2017-08-17 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA 3.12 through 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) element or (2) defaultColor parameter to the Colour Picker page; the (3) formName parameter, (4) element parameter, or (5) full name field to the User Picker page; the (6) formName parameter, (7) element parameter, or (8) group name field to the Group Picker page; the (9) announcement_preview_banner_st parameter to unspecified components, related to the Announcement Banner Preview page; unspecified vectors involving the (10) groupnames.jsp, (11) indexbrowser.jsp, (12) classpath-debug.jsp, (13) viewdocument.jsp, or (14) cleancommentspam.jsp page; the (15) portletKey parameter to runportleterror.jsp; the (16) URI to issuelinksmall.jsp; the (17) afterURL parameter to screenshot-redirecter.jsp; or the (18) HTTP Referrer header to 500page.jsp, as exploited in the wild in April 2010.
CVE-2010-1165 1 Atlassian 1 Jira 2017-08-17 9.0 HIGH N/A
Atlassian JIRA 3.12 through 4.1 allows remote authenticated administrators to execute arbitrary code by modifying the (1) attachment (aka attachments), (2) index (aka indexing), or (3) backup path and then uploading a file, as exploited in the wild in April 2010.
CVE-2008-6831 1 Atlassian 1 Jira 2017-08-17 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA Enterprise Edition 3.13 allow remote attackers to inject arbitrary web script or HTML via the (1) fullname (Full Name) parameter in the ViewProfile page or (2) returnUrl parameter in a form, as demonstrated using secure/AddComment!default.jspa (aka "Add Comment").