Filtered by vendor Atlassian
Subscribe
Total
432 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-18096 | 1 Atlassian | 1 Application Links | 2023-12-10 | 4.0 MEDIUM | 7.2 HIGH |
The OAuth status rest resource in Atlassian Application Links before version 5.2.7, from 5.3.0 before 5.3.4 and from 5.4.0 before 5.4.3 allows remote attackers with administrative rights to access the content of internal network resources via a Server Side Request Forgery (SSRF) by creating an OAuth application link to a location they control and then redirecting access from the linked location's OAuth status rest resource to an internal location. When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information. | |||||
CVE-2017-18037 | 1 Atlassian | 1 Bitbucket | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
The git repository tag rest resource in Atlassian Bitbucket Server from version 3.7.0 before 4.14.11 (the fixed version for 4.14.x), from version 5.0.0 before 5.0.9 (the fixed version for 5.0.x), from version 5.1.0 before 5.1.8 (the fixed version for 5.1.x), from version 5.2.0 before 5.2.6 (the fixed version for 5.2.x), from version 5.3.0 before 5.3.4 (the fixed version for 5.3.x), from version 5.4.0 before 5.4.2 (the fixed version for 5.4.x), from version 5.5.0 before 5.5.1 (the fixed version for 5.5.x) and before 5.6.0 allows remote attackers to read arbitrary files via a path traversal vulnerability through the name of a git tag. | |||||
CVE-2017-18092 | 1 Atlassian | 1 Crucible | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
The print snippet resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of a comment on the snippet. | |||||
CVE-2017-18093 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allow remote attackers who have permission to add or modify a repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the location setting of a configured repository. | |||||
CVE-2017-9513 | 1 Atlassian | 1 Activity Streams | 2023-12-10 | 5.5 MEDIUM | 5.4 MEDIUM |
Several rest inline action resources of Atlassian Activity Streams before version 6.3.0 allows remote authenticated attackers to watch any Confluence page & receive notifications when comments are added to the watched page, and vote & watch JIRA issues that they do not have access to, although they will not receive notifications for the issue, via missing permission checks. | |||||
CVE-2017-18086 | 1 Atlassian | 1 Confluence | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Various resources in Atlassian Confluence Server before version 6.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuesURL parameter. | |||||
CVE-2017-18089 | 1 Atlassian | 1 Crucible | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
The view review history resource in Atlassian Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the invited reviewers for a review. | |||||
CVE-2017-9507 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
The review dashboard resource in Atlassian Crucible from version 4.1.0 before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the review filter title parameter. | |||||
CVE-2017-16864 | 1 Atlassian | 1 Jira | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the orderby parameter. | |||||
CVE-2017-14585 | 1 Atlassian | 2 Hipchat Data Center, Hipchat Server | 2023-12-10 | 9.0 HIGH | 7.2 HIGH |
A Server Side Request Forgery (SSRF) vulnerability could lead to remote code execution for authenticated administrators. This issue was introduced in version 2.2.0 of Hipchat Server and version 3.0.0 of Hipchat Data Center. Versions of Hipchat Server starting with 2.2.0 and before 2.2.6 are affected by this vulnerability. Versions of Hipchat Data Center starting with 3.0.0 and before 3.1.0 are affected. | |||||
CVE-2017-9510 | 1 Atlassian | 1 Fisheye | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
The repository changelog resource in Atlassian Fisheye before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the start date and end date parameters. | |||||
CVE-2017-9505 | 1 Atlassian | 1 Confluence | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself. | |||||
CVE-2017-16865 | 1 Atlassian | 1 Jira | 2023-12-10 | 3.5 LOW | 5.3 MEDIUM |
The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information. | |||||
CVE-2017-9508 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
Various resources in Atlassian Fisheye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file. | |||||
CVE-2017-14587 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
The administration user deletion resource in Atlassian Fisheye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter. | |||||
CVE-2017-9506 | 1 Atlassian | 1 Oauth | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF). | |||||
CVE-2017-8907 | 1 Atlassian | 1 Bamboo | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo. | |||||
CVE-2017-14589 | 1 Atlassian | 1 Bamboo | 2023-12-10 | 6.8 MEDIUM | 9.6 CRITICAL |
It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability. | |||||
CVE-2017-9509 | 1 Atlassian | 2 Crucible, Fisheye | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
The review file upload resource in Atlassian Crucible before version 4.4.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the charset of a previously uploaded file. | |||||
CVE-2015-6576 | 1 Atlassian | 1 Bamboo | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource. |