Jira
by Atlassian
Source repositories
CVEs (94)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-10716 | Med | 0.35 | 5.4 | 0.01 | Mar 16, 2018 | The Mail.ru Calendar plugin before 2.5.0.61 for Atlassian Jira has XSS via the Name field in a Create Calender action, related to a MailRuCalendar.jspa#period/month URI. | ||
| CVE-2016-10715 | Med | 0.35 | 5.4 | 0.01 | Mar 16, 2018 | The Artezio Kanban Board plugin 1.4 revision 1914 for Atlassian Jira has XSS via the Board Name in a Create New Board action, related to an artezioboard/mainPage.jspa?kanbanId=7#/kanban-view URI. | ||
| CVE-2017-16865 | Med | 0.35 | 5.3 | 0.01 | Jan 17, 2018 | The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource… | ||
| CVE-2016-4318 | Med | 0.31 | 4.8 | 0.01 | Apr 10, 2017 | Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name. | ||
| CVE-2017-16862 | Med | 0.28 | 4.3 | 0.01 | Jan 12, 2018 | The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery (CSRF) vulnerability. | ||
| CVE-2019-8449 | 0.09 | — | 0.85 | Sep 11, 2019 | The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability. | |||
| CVE-2019-8451 | 0.08 | — | 0.94 | Sep 11, 2019 | The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class. | |||
| CVE-2015-5603 | 0.08 | — | 0.59 | Sep 21, 2015 | The HipChat for JIRA plugin before 6.30.0 for Atlassian JIRA allows remote authenticated users to execute arbitrary Java code via unspecified vectors, related to "Velocity Template Injection Vulnerability." | |||
| CVE-2020-14179 | 0.07 | — | 0.76 | Sep 21, 2020 | Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before… | |||
| CVE-2019-8442 | 0.07 | — | 0.60 | May 22, 2019 | The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access… | |||
| CVE-2019-3403 | 0.07 | — | 0.53 | May 22, 2019 | The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. | |||
| CVE-2019-8446 | 0.06 | — | 0.18 | Aug 23, 2019 | The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check. | |||
| CVE-2019-3401 | 0.05 | — | 0.13 | May 22, 2019 | The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. | |||
| CVE-2014-2314 | 0.05 | — | 0.26 | Mar 9, 2014 | Directory traversal vulnerability in the Issue Collector plugin in Atlassian JIRA before 6.0.4 allows remote attackers to create arbitrary files via unspecified vectors. | |||
| CVE-2022-39960 | 0.03 | — | 0.26 | Sep 17, 2022 | The Netic Group Export add-on before 1.0.3 for Atlassian Jira does not perform authorization checks. This might allow an unauthenticated user to export all groups from the Jira instance by making a groupexport_download=true request to a plugins/servlet/groupexportforjira/admin/… | |||
| CVE-2012-1500 | 0.03 | — | 0.01 | Feb 13, 2020 | Stored XSS vulnerability in UpdateFieldJson.jspa in JIRA 4.4.3 and GreenHopper before 5.9.8 allows an attacker to inject arbitrary script code. | |||
| CVE-2019-3402 | 0.01 | — | 0.09 | May 22, 2019 | The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter. | |||
| CVE-2018-20824 | 0.01 | — | 0.38 | May 3, 2019 | The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter. | |||
| CVE-2019-15002 | 0.00 | — | 0.00 | Feb 11, 2025 | An exploitable CSRF vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. The login form doesn’t require a CSRF token. As a result, an attacker can log a user into the system under an unexpected account. | |||
| CVE-2022-26137 | 0.00 | — | 0.02 | Jul 20, 2022 | A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this… |
- risk 0.35cvss 5.4epss 0.01
The Mail.ru Calendar plugin before 2.5.0.61 for Atlassian Jira has XSS via the Name field in a Create Calender action, related to a MailRuCalendar.jspa#period/month URI.
- risk 0.35cvss 5.4epss 0.01
The Artezio Kanban Board plugin 1.4 revision 1914 for Atlassian Jira has XSS via the Board Name in a Create New Board action, related to an artezioboard/mainPage.jspa?kanbanId=7#/kanban-view URI.
- risk 0.35cvss 5.3epss 0.01
The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource…
- risk 0.31cvss 4.8epss 0.01
Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name.
- risk 0.28cvss 4.3epss 0.01
The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery (CSRF) vulnerability.
- CVE-2019-8449Sep 11, 2019risk 0.09cvss —epss 0.85
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
- CVE-2019-8451Sep 11, 2019risk 0.08cvss —epss 0.94
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
- CVE-2015-5603Sep 21, 2015risk 0.08cvss —epss 0.59
The HipChat for JIRA plugin before 6.30.0 for Atlassian JIRA allows remote authenticated users to execute arbitrary Java code via unspecified vectors, related to "Velocity Template Injection Vulnerability."
- CVE-2020-14179Sep 21, 2020risk 0.07cvss —epss 0.76
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before…
- CVE-2019-8442May 22, 2019risk 0.07cvss —epss 0.60
The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access…
- CVE-2019-3403May 22, 2019risk 0.07cvss —epss 0.53
The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
- CVE-2019-8446Aug 23, 2019risk 0.06cvss —epss 0.18
The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check.
- CVE-2019-3401May 22, 2019risk 0.05cvss —epss 0.13
The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
- CVE-2014-2314Mar 9, 2014risk 0.05cvss —epss 0.26
Directory traversal vulnerability in the Issue Collector plugin in Atlassian JIRA before 6.0.4 allows remote attackers to create arbitrary files via unspecified vectors.
- CVE-2022-39960Sep 17, 2022risk 0.03cvss —epss 0.26
The Netic Group Export add-on before 1.0.3 for Atlassian Jira does not perform authorization checks. This might allow an unauthenticated user to export all groups from the Jira instance by making a groupexport_download=true request to a plugins/servlet/groupexportforjira/admin/…
- CVE-2012-1500Feb 13, 2020risk 0.03cvss —epss 0.01
Stored XSS vulnerability in UpdateFieldJson.jspa in JIRA 4.4.3 and GreenHopper before 5.9.8 allows an attacker to inject arbitrary script code.
- CVE-2019-3402May 22, 2019risk 0.01cvss —epss 0.09
The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter.
- CVE-2018-20824May 3, 2019risk 0.01cvss —epss 0.38
The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter.
- CVE-2019-15002Feb 11, 2025risk 0.00cvss —epss 0.00
An exploitable CSRF vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. The login form doesn’t require a CSRF token. As a result, an attacker can log a user into the system under an unexpected account.
- CVE-2022-26137Jul 20, 2022risk 0.00cvss —epss 0.02
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this…
Page 2 of 5