Vulnerabilities (CVE)

  1. OpenCVE
  2. Vulnerabilities (CVE)
Filtered by vendor Atlassian Subscribe
Total 429 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-39117 1 Atlassian 2 Data Center, Jira 2024-02-04 3.5 LOW 4.8 MEDIUM
The AssociateFieldToScreens page in Atlassian Jira Server and Data Center before version 8.18.0 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability via the name of a custom field.
CVE-2021-37843 1 Atlassian 1 Saml Single Sign On 2024-02-04 7.5 HIGH 9.8 CRITICAL
The resolution SAML SSO apps for Atlassian products allow a remote attacker to login to a user account when only the username is known (i.e., no other authentication is provided). The fixed versions are for Jira: 3.6.6.1, 4.0.12, 5.0.5; for Confluence 3.6.6, 4.0.12, 5.0.5; for Bitbucket 2.5.9, 3.6.6, 4.0.12, 5.0.5; for Bamboo 2.5.9, 3.6.6, 4.0.12, 5.0.5; and for Fisheye 2.5.9.
CVE-2021-39113 1 Atlassian 4 Data Center, Jira, Jira Data Center and 1 more 2024-02-04 5.0 MEDIUM 7.5 HIGH
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0.
CVE-2021-26073 1 Atlassian 1 Connect Express 2024-02-04 4.0 MEDIUM 7.7 HIGH
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Express versions from 3.0.2 before 6.6.0 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app.
CVE-2020-29445 1 Atlassian 1 Confluence Server 2024-02-04 4.0 MEDIUM 4.3 MEDIUM
Affected versions of Confluence Server before 7.4.8, and versions from 7.5.0 before 7.11.0 allow attackers to identify internal hosts and ports via a blind server-side request forgery vulnerability in Team Calendars parameters.
CVE-2021-26072 1 Atlassian 2 Confluence Data Center, Confluence Server 2024-02-04 4.0 MEDIUM 4.3 MEDIUM
The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6 allowed remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability.
CVE-2020-36286 1 Atlassian 4 Data Center, Jira, Jira Data Center and 1 more 2024-02-04 5.0 MEDIUM 5.3 MEDIUM
The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to publicly visible issue field.
CVE-2021-39111 1 Atlassian 4 Data Center, Jira, Jira Data Center and 1 more 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the handling of supplied content such as from a PDF when pasted into a field such as the description field.
CVE-2021-26085 1 Atlassian 2 Confluence Data Center, Confluence Server 2024-02-04 5.0 MEDIUM 5.3 MEDIUM
Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.
CVE-2020-36239 1 Atlassian 3 Jira Data Center, Jira Service Desk, Jira Service Management 2024-02-04 7.5 HIGH 9.8 CRITICAL
Jira Data Center, Jira Core Data Center, Jira Software Data Center from version 6.3.0 before 8.5.16, from 8.6.0 before 8.13.8, from 8.14.0 before 8.17.0 and Jira Service Management Data Center from version 2.0.2 before 4.5.16, from version 4.6.0 before 4.13.8, and from version 4.14.0 before 4.17.0 exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011[0][1], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service. [0] In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated. [1] In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.
CVE-2021-26071 1 Atlassian 4 Data Center, Jira, Jira Data Center and 1 more 2024-02-04 3.5 LOW 3.5 LOW
The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability.
CVE-2021-26078 1 Atlassian 3 Data Center, Jira, Jira Server 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.
CVE-2021-26081 1 Atlassian 4 Data Center, Jira, Jira Data Center and 1 more 2024-02-04 5.0 MEDIUM 5.3 MEDIUM
REST API in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to enumerate usernames via a Sensitive Data Exposure vulnerability in the `/rest/api/latest/user/avatar/temporary` endpoint.
CVE-2021-26080 1 Atlassian 2 Jira Data Center, Jira Server 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
EditworkflowScheme.jspa in Jira Server and Jira Data Center before version 8.5.14, and from version 8.6.0 before version 8.13.6, and from 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.
CVE-2021-26083 1 Atlassian 4 Data Center, Jira, Jira Data Center and 1 more 2024-02-04 3.5 LOW 5.4 MEDIUM
Export HTML Report in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability.
CVE-2017-18113 1 Atlassian 2 Data Center, Jira 2024-02-04 6.8 MEDIUM 8.8 HIGH
The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow library and other Jira dependencies. Atlassian-made functions or functions provided by 3rd party plugins are not affected by this fix.
CVE-2020-36238 1 Atlassian 4 Data Center, Jira, Jira Data Center and 1 more 2024-02-04 5.0 MEDIUM 5.3 MEDIUM
The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check.
CVE-2021-39112 1 Atlassian 4 Data Center, Jira, Jira Data Center and 1 more 2024-02-04 4.9 MEDIUM 4.8 MEDIUM
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to redirect users to a malicious URL via a reverse tabnapping vulnerability in the Project Shortcuts feature. The affected versions are before version 8.5.15, from version 8.6.0 before 8.13.7, from version 8.14.0 before 8.17.1, and from version 8.18.0 before 8.18.1.
CVE-2020-36289 1 Atlassian 4 Data Center, Jira, Jira Data Center and 1 more 2024-02-04 5.0 MEDIUM 5.3 MEDIUM
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
CVE-2020-36287 1 Atlassian 4 Data Center, Jira, Jira Data Center and 1 more 2024-02-04 5.0 MEDIUM 5.3 MEDIUM
The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check.