VYPR

Jira

by Atlassian

Source repositories

CVEs (94)

  • CVE-2022-26136Jul 20, 2022
    risk 0.00cvss epss 0.04

    A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in…

  • CVE-2022-32274Jul 13, 2022
    risk 0.00cvss epss 0.01

    The Transition Scheduler add-on 6.5.0 for Atlassian Jira is prone to stored XSS via the project name to the creation function.

  • CVE-2021-39128Sep 16, 2021
    risk 0.00cvss epss 0.02

    Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Template feature. The affected…

  • CVE-2021-26080Jun 7, 2021
    risk 0.00cvss epss 0.01

    EditworkflowScheme.jspa in Jira Server and Jira Data Center before version 8.5.14, and from version 8.6.0 before version 8.13.6, and from 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.

  • CVE-2021-26071Apr 1, 2021
    risk 0.00cvss epss 0.00

    The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site…

  • CVE-2019-20901Jul 13, 2020
    risk 0.00cvss epss 0.01

    The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.

  • CVE-2020-14168Jul 1, 2020
    risk 0.00cvss epss 0.02

    The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM)…

  • CVE-2019-20408Jul 1, 2020
    risk 0.00cvss epss 0.01

    The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

  • CVE-2020-4028Jun 23, 2020
    risk 0.00cvss epss 0.01

    Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure…

  • CVE-2019-20401Feb 6, 2020
    risk 0.00cvss epss 0.01

    Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery (CSRF) vulnerabilities.

  • CVE-2019-20400Feb 6, 2020
    risk 0.00cvss epss 0.00

    The usage of Tomcat in Jira before version 8.5.2 allows local attackers with permission to write a dll file to a directory in the global path environmental variable can inject code into via a DLL hijacking vulnerability.

  • CVE-2019-15013Dec 18, 2019
    risk 0.00cvss epss 0.01

    The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue…

  • CVE-2019-8450Sep 11, 2019
    risk 0.00cvss epss 0.01

    Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the…

  • CVE-2019-14998Sep 11, 2019
    risk 0.00cvss epss 0.01

    The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via "cookie tossing" a CSRF cookie from a subdomain of a Jira instance.

  • CVE-2019-14997Sep 11, 2019
    risk 0.00cvss epss 0.01

    The AccessLogFilter class in Jira before version 8.4.0 allows remote anonymous attackers to learn details about other users, including their username, via an information expose through caching vulnerability when Jira is configured with a reverse Proxy and or a load balancer with…

  • CVE-2019-14996Sep 11, 2019
    risk 0.00cvss epss 0.01

    The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter.

  • CVE-2019-14995Sep 11, 2019
    risk 0.00cvss epss 0.03

    The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to determine if an attachment with a specific name exists and if an issue key is valid via a missing permissions check.

  • CVE-2019-8447Aug 23, 2019
    risk 0.00cvss epss 0.01

    The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability.

  • CVE-2019-8445Aug 23, 2019
    risk 0.00cvss epss 0.03

    Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check.

  • CVE-2019-8444Aug 23, 2019
    risk 0.00cvss epss 0.01

    The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification.