Total
144 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-20402 | 1 Atlassian | 2 Jira, Jira Software Data Center | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability. | |||||
CVE-2019-20100 | 1 Atlassian | 3 Jira, Jira Data Center, Jira Server | 2023-12-10 | 4.3 MEDIUM | 4.7 MEDIUM |
The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present. | |||||
CVE-2019-20106 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug. | |||||
CVE-2018-20826 | 1 Atlassian | 1 Jira | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check. | |||||
CVE-2019-3399 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check. | |||||
CVE-2019-3403 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. | |||||
CVE-2019-3402 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter. | |||||
CVE-2018-20827 | 1 Atlassian | 1 Jira | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter. | |||||
CVE-2019-11584 | 1 Atlassian | 1 Jira | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the priority icon url of an issue priority. | |||||
CVE-2019-3401 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. | |||||
CVE-2019-8449 | 1 Atlassian | 1 Jira | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability. | |||||
CVE-2019-11586 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability. | |||||
CVE-2019-11583 | 1 Atlassian | 1 Jira | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by "Epic Name". | |||||
CVE-2019-11581 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 9.3 HIGH | 9.8 CRITICAL |
There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability. | |||||
CVE-2019-11585 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 5.8 MEDIUM | 6.1 MEDIUM |
The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect. | |||||
CVE-2019-11587 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF). | |||||
CVE-2019-8443 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability. | |||||
CVE-2019-11588 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability. | |||||
CVE-2018-20824 | 1 Atlassian | 1 Jira | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter. | |||||
CVE-2019-8442 | 1 Atlassian | 2 Jira, Jira Server | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check. |