Confluence Data Center
by Atlassian
CVEs (41)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-26137 | Hig | 0.57 | 8.8 | 0.02 | Jul 20, 2022 | A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this… | ||
| CVE-2021-39114 | Hig | 0.57 | 8.8 | 0.02 | Apr 5, 2022 | Affected versions of Atlassian Confluence Server and Data Center allow users with a valid account on a Confluence Data Center instance to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload. The affected versions are before version 6.13.23,… | ||
| CVE-2024-21678 | Hig | 0.55 | 8.5 | 0.00 | Feb 20, 2024 | This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center. This Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high… | ||
| CVE-2024-21690 | Hig | 0.53 | 8.2 | 0.01 | Aug 21, 2024 | This High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability was introduced in versions 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.1, 8.8.0, and 8.9.0 of Confluence Data Center and Server. This Reflected XSS and CSRF… | ||
| CVE-2021-43940 | Hig | 0.51 | 7.8 | 0.00 | Feb 15, 2022 | Affected versions of Atlassian Confluence Server and Data Center allow authenticated local attackers to achieve elevated privileges on the local system via a DLL Hijacking vulnerability in the Confluence installer. This vulnerability only affects installations of Confluence… | ||
| CVE-2019-20406 | Hig | 0.51 | 7.8 | 0.00 | Feb 6, 2020 | The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, and from version 7.1.0 before version 7.1.1 allows local system attackers who have permission to write a DLL file in a directory in the global path environmental variable variable… | ||
| CVE-2023-22512 | Hig | 0.50 | 7.5 | 0.14 | Jan 16, 2024 | This High severity DoS (Denial of Service) vulnerability was introduced in version 5.6.0 of Confluence Data Center and Server. With a CVSS Score of 7.5, this vulnerability allows an unauthenticated attacker to cause a resource to be unavailable for its intended users by… | ||
| CVE-2024-21674 | Hig | 0.49 | 7.5 | 0.02 | Jan 16, 2024 | This High severity Remote Code Execution (RCE) vulnerability was introduced in version 7.13.0 of Confluence Data Center and Server. Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.6 and a CVSS Vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N allows an… | ||
| CVE-2024-21703 | Med | 0.42 | 6.4 | 0.00 | Nov 27, 2024 | This Medium severity Security Misconfiguration vulnerability was introduced in version 8.8.1 of Confluence Data Center and Server for Windows installations. This Security Misconfiguration vulnerability, with a CVSS Score of 6.4 allows an authenticated attacker of the Windows… | ||
| CVE-2023-22504 | Med | 0.42 | 6.5 | 0.01 | May 25, 2023 | Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature. | ||
| CVE-2020-29450 | Med | 0.42 | 6.5 | 0.02 | Jan 19, 2021 | Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0. | ||
| CVE-2019-15006 | Med | 0.42 | 6.5 | 0.02 | Dec 19, 2019 | There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence Previews plugin in Confluence… | ||
| CVE-2018-20237 | Med | 0.42 | 6.5 | 0.02 | Feb 13, 2019 | Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature. | ||
| CVE-2023-22503 | Med | 0.35 | 5.3 | 0.01 | May 1, 2023 | Affected versions of Atlassian Confluence Server and Data Center allow anonymous remote attackers to view the names of attachments and labels in a private Confluence space. This occurs via an Information Disclosure vulnerability in the macro preview feature. This… | ||
| CVE-2020-36290 | Med | 0.35 | 5.4 | 0.01 | Jul 26, 2022 | The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 before 7.6.3, and from version 7.7.0 before version 7.7.4 allows remote attackers with permission to edit a page or blog to inject arbitrary HTML or JavaScript via a cross site… | ||
| CVE-2020-29448 | Med | 0.35 | 5.3 | 0.02 | Feb 22, 2021 | The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center before version 6.13.18, from 6.14.0 before 7.4.6, and from 7.5.0 before 7.8.3 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories… | ||
| CVE-2020-14175 | Med | 0.35 | 5.4 | 0.01 | Jul 24, 2020 | Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in user macro parameters. The affected versions are before version 7.4.2, and from version 7.5.0 before… | ||
| CVE-2021-26072 | Med | 0.31 | 4.3 | 0.39 | Apr 1, 2021 | The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6 allowed remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability. | ||
| CVE-2020-4027 | Med | 0.31 | 4.7 | 0.02 | Jul 1, 2020 | Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version… | ||
| CVE-2019-15005 | Med | 0.28 | 4.3 | 0.01 | Nov 8, 2019 | The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration… |
- risk 0.57cvss 8.8epss 0.02
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this…
- risk 0.57cvss 8.8epss 0.02
Affected versions of Atlassian Confluence Server and Data Center allow users with a valid account on a Confluence Data Center instance to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload. The affected versions are before version 6.13.23,…
- risk 0.55cvss 8.5epss 0.00
This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center. This Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high…
- risk 0.53cvss 8.2epss 0.01
This High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability was introduced in versions 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.1, 8.8.0, and 8.9.0 of Confluence Data Center and Server. This Reflected XSS and CSRF…
- risk 0.51cvss 7.8epss 0.00
Affected versions of Atlassian Confluence Server and Data Center allow authenticated local attackers to achieve elevated privileges on the local system via a DLL Hijacking vulnerability in the Confluence installer. This vulnerability only affects installations of Confluence…
- risk 0.51cvss 7.8epss 0.00
The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, and from version 7.1.0 before version 7.1.1 allows local system attackers who have permission to write a DLL file in a directory in the global path environmental variable variable…
- risk 0.50cvss 7.5epss 0.14
This High severity DoS (Denial of Service) vulnerability was introduced in version 5.6.0 of Confluence Data Center and Server. With a CVSS Score of 7.5, this vulnerability allows an unauthenticated attacker to cause a resource to be unavailable for its intended users by…
- risk 0.49cvss 7.5epss 0.02
This High severity Remote Code Execution (RCE) vulnerability was introduced in version 7.13.0 of Confluence Data Center and Server. Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.6 and a CVSS Vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N allows an…
- risk 0.42cvss 6.4epss 0.00
This Medium severity Security Misconfiguration vulnerability was introduced in version 8.8.1 of Confluence Data Center and Server for Windows installations. This Security Misconfiguration vulnerability, with a CVSS Score of 6.4 allows an authenticated attacker of the Windows…
- risk 0.42cvss 6.5epss 0.01
Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature.
- risk 0.42cvss 6.5epss 0.02
Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0.
- risk 0.42cvss 6.5epss 0.02
There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence Previews plugin in Confluence…
- risk 0.42cvss 6.5epss 0.02
Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature.
- risk 0.35cvss 5.3epss 0.01
Affected versions of Atlassian Confluence Server and Data Center allow anonymous remote attackers to view the names of attachments and labels in a private Confluence space. This occurs via an Information Disclosure vulnerability in the macro preview feature. This…
- risk 0.35cvss 5.4epss 0.01
The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 before 7.6.3, and from version 7.7.0 before version 7.7.4 allows remote attackers with permission to edit a page or blog to inject arbitrary HTML or JavaScript via a cross site…
- risk 0.35cvss 5.3epss 0.02
The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center before version 6.13.18, from 6.14.0 before 7.4.6, and from 7.5.0 before 7.8.3 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories…
- risk 0.35cvss 5.4epss 0.01
Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in user macro parameters. The affected versions are before version 7.4.2, and from version 7.5.0 before…
- risk 0.31cvss 4.3epss 0.39
The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6 allowed remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability.
- risk 0.31cvss 4.7epss 0.02
Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version…
- risk 0.28cvss 4.3epss 0.01
The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration…
Page 2 of 3