Vulnerabilities (CVE)

Filtered by vendor Atlassian Subscribe
Filtered by product Jira
Total 144 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-20402 1 Atlassian 2 Jira, Jira Software Data Center 2023-12-10 4.0 MEDIUM 4.9 MEDIUM
Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability.
CVE-2019-20100 1 Atlassian 3 Jira, Jira Data Center, Jira Server 2023-12-10 4.3 MEDIUM 4.7 MEDIUM
The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.
CVE-2019-20106 1 Atlassian 4 Jira, Jira Data Center, Jira Server and 1 more 2023-12-10 4.0 MEDIUM 4.3 MEDIUM
Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug.
CVE-2018-20826 1 Atlassian 1 Jira 2023-12-10 4.0 MEDIUM 4.3 MEDIUM
The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check.
CVE-2019-3399 1 Atlassian 2 Jira, Jira Server 2023-12-10 5.0 MEDIUM 7.5 HIGH
The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check.
CVE-2019-3403 1 Atlassian 2 Jira, Jira Server 2023-12-10 5.0 MEDIUM 5.3 MEDIUM
The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
CVE-2019-3402 1 Atlassian 2 Jira, Jira Server 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter.
CVE-2018-20827 1 Atlassian 1 Jira 2023-12-10 3.5 LOW 5.4 MEDIUM
The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter.
CVE-2019-11584 1 Atlassian 1 Jira 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the priority icon url of an issue priority.
CVE-2019-3401 1 Atlassian 2 Jira, Jira Server 2023-12-10 5.0 MEDIUM 5.3 MEDIUM
The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
CVE-2019-8449 1 Atlassian 1 Jira 2023-12-10 5.0 MEDIUM 5.3 MEDIUM
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
CVE-2019-11586 1 Atlassian 2 Jira, Jira Server 2023-12-10 4.3 MEDIUM 4.3 MEDIUM
The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability.
CVE-2019-11583 1 Atlassian 1 Jira 2023-12-10 4.0 MEDIUM 6.5 MEDIUM
The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by "Epic Name".
CVE-2019-11581 1 Atlassian 2 Jira, Jira Server 2023-12-10 9.3 HIGH 9.8 CRITICAL
There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
CVE-2019-11585 1 Atlassian 2 Jira, Jira Server 2023-12-10 5.8 MEDIUM 6.1 MEDIUM
The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect.
CVE-2019-11587 1 Atlassian 2 Jira, Jira Server 2023-12-10 4.3 MEDIUM 6.5 MEDIUM
Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF).
CVE-2019-8443 1 Atlassian 2 Jira, Jira Server 2023-12-10 6.8 MEDIUM 8.1 HIGH
The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability.
CVE-2019-11588 1 Atlassian 2 Jira, Jira Server 2023-12-10 4.3 MEDIUM 4.3 MEDIUM
The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability.
CVE-2018-20824 1 Atlassian 1 Jira 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter.
CVE-2019-8442 1 Atlassian 2 Jira, Jira Server 2023-12-10 5.0 MEDIUM 7.5 HIGH
The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check.