Vulnerabilities (CVE)

Filtered by vendor Atlassian Subscribe
Total 432 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-9512 1 Atlassian 2 Crucible, Fisheye 2023-12-10 5.0 MEDIUM 7.5 HIGH
The mostActiveCommitters.do resource in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses of committers, as it lacked permission checks.
CVE-2017-14588 1 Atlassian 2 Crucible, Fisheye 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter.
CVE-2017-14591 1 Atlassian 2 Crucible, Fisheye 2023-12-10 9.3 HIGH 9.0 CRITICAL
Atlassian Fisheye and Crucible versions less than 4.4.3 and version 4.5.0 are vulnerable to argument injection through filenames in Mercurial repositories, allowing attackers to execute arbitrary code on a system running the impacted software.
CVE-2017-14594 1 Atlassian 2 Jira, Jira Server 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version 7.3.0 before 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jqlQuery query parameter.
CVE-2017-16862 1 Atlassian 1 Jira 2023-12-10 4.3 MEDIUM 4.3 MEDIUM
The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery (CSRF) vulnerability.
CVE-2017-14586 1 Atlassian 1 Hipchat 2023-12-10 7.5 HIGH 9.8 CRITICAL
The Hipchat for Mac desktop client is vulnerable to client-side remote code execution via video call link parsing. Hipchat for Mac desktop clients at or above version 4.0 and before version 4.30 are affected by this vulnerability.
CVE-2017-16857 1 Atlassian 1 Bitbucket Auto Unapprove Plugin 2023-12-10 6.0 MEDIUM 8.5 HIGH
It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end. This allows an attacker to merge any code into unsuspecting repositories. This affects all versions of the auto-unapprove plugin, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket.
CVE-2017-16856 1 Atlassian 1 Confluence 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) vulnerabilities in various rss properties which were used as links without restriction on their scheme.
CVE-2017-14590 1 Atlassian 1 Bamboo 2023-12-10 9.0 HIGH 9.1 CRITICAL
Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least one linked Mercurial repository that the attacker has permission to use, or commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled can execute code of their choice on systems that run a vulnerable version of Bamboo Server. Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.
CVE-2017-9514 1 Atlassian 1 Bamboo 2023-12-10 6.5 MEDIUM 8.8 HIGH
Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo.
CVE-2017-9511 2 Atlassian, Microsoft 3 Crucible, Fisheye, Windows 2023-12-10 5.0 MEDIUM 7.5 HIGH
The MultiPathResource class in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to read arbitrary files via a path traversal vulnerability when Fisheye or Crucible is running on the Microsoft Windows operating system.
CVE-2016-6283 1 Atlassian 1 Confluence 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.10.6 allows remote attackers to inject arbitrary web script or HTML via the newFileName parameter to pages/doeditattachment.action.
CVE-2017-8080 1 Atlassian 1 Hipchat Server 2023-12-10 6.5 MEDIUM 8.8 HIGH
Atlassian Hipchat Server before 2.2.4 allows remote authenticated users with user level privileges to execute arbitrary code via vectors involving image uploads.
CVE-2017-8768 1 Atlassian 1 Sourcetree 2023-12-10 10.0 HIGH 9.8 CRITICAL
Atlassian SourceTree v2.5c and prior are affected by a command injection in the handling of the sourcetree:// scheme. It will lead to arbitrary OS command execution with a URL substring of sourcetree://cloneRepo/ext:: or sourcetree://checkoutRef/ext:: followed by the command. The Atlassian ID number is SRCTREE-4632.
CVE-2017-7357 1 Atlassian 1 Hipchat Server 2023-12-10 6.5 MEDIUM 9.1 CRITICAL
Hipchat Server before 2.2.3 allows remote authenticated users with Server Administrator level privileges to execute arbitrary code by importing a file.
CVE-2016-4319 1 Atlassian 1 Jira 2023-12-10 6.8 MEDIUM 8.8 HIGH
Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings.
CVE-2016-4320 1 Atlassian 1 Bitbucket 2023-12-10 4.0 MEDIUM 4.3 MEDIUM
Atlassian Bitbucket Server before 4.7.1 allows remote attackers to read the first line of an arbitrary file via a directory traversal attack on the pull requests resource.
CVE-2016-4318 1 Atlassian 1 Jira 2023-12-10 3.5 LOW 4.8 MEDIUM
Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name.
CVE-2016-6285 1 Atlassian 1 Jira 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in includes/decorators/global-translations.jsp in Atlassian JIRA before 7.2.2 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
CVE-2017-8058 1 Atlassian 1 Hipchat 2023-12-10 4.3 MEDIUM 5.9 MEDIUM
Acceptance of invalid/self-signed TLS certificates in Atlassian HipChat before 3.16.2 for iOS allows a man-in-the-middle and/or physically proximate attacker to silently intercept information sent during the login API call.