Total
144 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-15013 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorisation check. | |||||
CVE-2019-15005 | 1 Atlassian | 8 Bamboo, Bitbucket, Confluence and 5 more | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2. | |||||
CVE-2019-20106 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug. | |||||
CVE-2019-11585 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect. | |||||
CVE-2019-11584 | 1 Atlassian | 1 Jira | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the priority icon url of an issue priority. | |||||
CVE-2019-11588 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-04 | 4.3 MEDIUM | 4.3 MEDIUM |
The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability. | |||||
CVE-2019-3399 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check. | |||||
CVE-2019-11581 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-04 | 9.3 HIGH | 9.8 CRITICAL |
There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability. | |||||
CVE-2019-11587 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF). | |||||
CVE-2019-3403 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. | |||||
CVE-2019-3401 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. | |||||
CVE-2019-3402 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter. | |||||
CVE-2019-11586 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-04 | 4.3 MEDIUM | 4.3 MEDIUM |
The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability. | |||||
CVE-2018-20827 | 1 Atlassian | 1 Jira | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter. | |||||
CVE-2018-20826 | 1 Atlassian | 1 Jira | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check. | |||||
CVE-2019-8449 | 1 Atlassian | 1 Jira | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability. | |||||
CVE-2019-8442 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check. | |||||
CVE-2019-8443 | 1 Atlassian | 2 Jira, Jira Server | 2024-02-04 | 6.8 MEDIUM | 8.1 HIGH |
The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability. | |||||
CVE-2019-11583 | 1 Atlassian | 1 Jira | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by "Epic Name". | |||||
CVE-2018-20824 | 1 Atlassian | 1 Jira | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter. |