Confluence
Sign in to watchby Atlassian
CVEs (9)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2012-2926 | Cri | 0.68 | 9.1 | 0.68 | May 22, 2012 | Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors. | |
| CVE-2017-16856 | Med | 0.40 | 6.1 | 0.00 | Dec 5, 2017 | The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) vulnerabilities in various rss properties which were used as links without restriction on their scheme. | |
| CVE-2017-9505 | Med | 0.28 | 4.3 | 0.00 | Jun 15, 2017 | Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself. | |
| CVE-2019-3398 | 0.23 | — | 0.94 | KEV | Apr 18, 2019 | Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability. | |
| CVE-2018-13389 | 0.00 | — | 0.00 | Jul 10, 2018 | The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of application/rdf+xml. | ||
| CVE-2017-18084 | 0.00 | — | 0.00 | Feb 2, 2018 | The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the description of a macro. | ||
| CVE-2017-18083 | 0.00 | — | 0.00 | Feb 2, 2018 | The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of an uploaded file. | ||
| CVE-2017-18085 | 0.00 | — | 0.00 | Feb 2, 2018 | The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the key parameter. | ||
| CVE-2005-3967 | 0.00 | — | 0.00 | Dec 3, 2005 | Cross-site scripting (XSS) vulnerability in the dosearchsite.action module in Atlassian Confluence 2.0.1 Build 321 allows remote attackers to inject arbitrary web script or HTML via the searchQuery.queryString search module parameter. |