VYPR

Vendor CVEs

Atlassian

All CVEs

471 total · sorted by risk
  • CVE-2015-6569MedFeb 21, 2018
    risk 0.32cvss 5.9epss 0.02

    Race condition in the LoadBalancer module in the Atlassian Floodlight Controller before 1.2 allows remote attackers to cause a denial of service (NULL pointer dereference and thread crash) via a state manipulation attack.

  • CVE-2017-18103MedJul 18, 2018
    risk 0.31cvss 4.7epss 0.01

    The atlassian-http library, as used in various Atlassian products, before version 2.0.2 allows remote attackers to spoof web content in the Mozilla Firefox Browser through uploaded files that have a content-type of application/mathml+xml.

  • CVE-2018-13389MedJul 10, 2018
    risk 0.31cvss 4.7epss 0.01

    The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of application/rdf+xml.

  • CVE-2018-5227MedApr 10, 2018
    risk 0.31cvss 4.8epss 0.01

    Various administrative application link resources in Atlassian Application Links before version 5.4.4 allow remote attackers with administration rights to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the display url of a configured…

  • CVE-2017-18094MedMar 22, 2018
    risk 0.31cvss 4.8epss 0.01

    Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and 4.5.0 allow remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the base path…

  • CVE-2017-18093MedFeb 19, 2018
    risk 0.31cvss 4.8epss 0.01

    Various resources in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allow remote attackers who have permission to add or modify a repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability…

  • CVE-2017-18091MedFeb 16, 2018
    risk 0.31cvss 4.8epss 0.01

    The admin backupprogress action in Atlassian Fisheye and Crucible before version 4.4.3 (the fixed version for 4.4.x) and before 4.5.0 allows remote attackers with administrative privileges to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in…

  • CVE-2017-18084MedFeb 2, 2018
    risk 0.31cvss 4.8epss 0.01

    The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the description of a macro.

  • CVE-2016-4318MedApr 10, 2017
    risk 0.31cvss 4.8epss 0.01

    Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name.

  • CVE-2023-22527KEVJan 16, 2024
    risk 0.29cvss epss 1.00

    A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data…

  • CVE-2023-22518KEVOct 31, 2023
    risk 0.29cvss epss 1.00

    All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an…

  • CVE-2023-22515KEVOct 4, 2023
    risk 0.29cvss epss 0.99

    Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts…

  • CVE-2022-26134KEVJun 3, 2022
    risk 0.29cvss epss 1.00

    In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from…

  • CVE-2021-26084KEVAug 30, 2021
    risk 0.29cvss epss 1.00

    In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version…

  • CVE-2021-26085KEVAug 3, 2021
    risk 0.29cvss epss 1.00

    Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.

  • CVE-2019-11580KEVJun 3, 2019
    risk 0.29cvss epss 0.95

    Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary…

  • CVE-2019-3396KEVMar 25, 2019
    risk 0.29cvss epss 1.00

    The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2…

  • CVE-2017-18088MedFeb 15, 2018
    risk 0.28cvss 4.3epss 0.01

    Various plugin servlet resources in Atlassian Bitbucket Server before version 5.3.7 (the fixed version for 5.3.x), from version 5.4.0 before 5.4.6 (the fixed version for 5.4.x), from version 5.5.0 before 5.5.6 (the fixed version for 5.5.x), from version 5.6.0 before 5.6.3 (the…

  • CVE-2017-18036MedFeb 2, 2018
    risk 0.28cvss 4.3epss 0.01

    The Github repository importer in Atlassian Bitbucket Server before version 5.3.0 allows remote attackers to determine if a service they could not otherwise reach has open ports via a Server Side Request Forgery (SSRF) vulnerability.

  • CVE-2017-18035MedFeb 2, 2018
    risk 0.28cvss 4.3epss 0.01

    The /rest/review-coverage-chart/1.0/data/<repository_name>/.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence…

  • CVE-2017-16862MedJan 12, 2018
    risk 0.28cvss 4.3epss 0.01

    The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery (CSRF) vulnerability.

  • CVE-2017-9505MedJun 15, 2017
    risk 0.28cvss 4.3epss 0.01

    Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of…

  • CVE-2016-4320MedApr 10, 2017
    risk 0.28cvss 4.3epss 0.02

    Atlassian Bitbucket Server before 4.7.1 allows remote attackers to read the first line of an arbitrary file via a directory traversal attack on the pull requests resource.

  • CVE-2025-35112MedAug 26, 2025
    risk 0.27cvss 4.1epss 0.00

    Agiloft Release 28 contains an XML External Entities vulnerability in any table that allows 'import/export', allowing an authenticated attacker to import the template file and perform path traversal on the local system files. Users should upgrade to Agiloft Release 31.

  • CVE-2022-36804KEVAug 25, 2022
    risk 0.23cvss epss 0.99

    Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from…

  • CVE-2021-26086KEVAug 16, 2021
    risk 0.23cvss epss 1.00

    Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version…

  • CVE-2019-3398KEVApr 18, 2019
    risk 0.23cvss epss 0.97

    Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space…

  • CVE-2022-26138KEVJul 20, 2022
    risk 0.20cvss epss 0.98

    The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded…

  • CVE-2019-11581KEVAug 9, 2019
    risk 0.20cvss epss 0.85

    There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions…

  • CVE-2015-8481LowJan 8, 2016
    risk 0.20cvss 3.1epss 0.01

    Atlassian JIRA Software 7.0.3, JIRA Core 7.0.3, and the bundled JIRA Service Desk 3.0.3 installer attaches the wrong image to e-mail notifications when a user views an issue with inline wiki markup referencing an image attachment, which might allow remote attackers to obtain…

  • CVE-2024-21683May 21, 2024
    risk 0.11cvss epss 0.88

    This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high…

  • CVE-2022-43781Nov 17, 2022
    risk 0.10cvss epss 0.98

    There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the…

  • CVE-2020-14181Sep 17, 2020
    risk 0.10cvss epss 1.00

    Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from…

  • CVE-2019-8449Sep 11, 2019
    risk 0.09cvss epss 0.85

    The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.

  • CVE-2019-8451Sep 11, 2019
    risk 0.08cvss epss 0.94

    The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

  • CVE-2015-5603Sep 21, 2015
    risk 0.08cvss epss 0.59

    The HipChat for JIRA plugin before 6.30.0 for Atlassian JIRA allows remote authenticated users to execute arbitrary Java code via unspecified vectors, related to "Velocity Template Injection Vulnerability."

  • CVE-2023-26255Feb 28, 2023
    risk 0.07cvss epss 0.48

    An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjCustomDesignConfig endpoint, it is possible to traverse and read the file system.

  • CVE-2023-26256Feb 28, 2023
    risk 0.07cvss epss 0.12

    An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjFooterNavigationConfig endpoint, it is possible to traverse and read the file system.

  • CVE-2022-26135Jun 30, 2022
    risk 0.07cvss epss 0.71

    A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center…

  • CVE-2022-26133Apr 20, 2022
    risk 0.07cvss epss 0.71

    SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute…

  • CVE-2022-0540Apr 20, 2022
    risk 0.07cvss epss 0.88

    A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0…

  • CVE-2020-36289May 12, 2021
    risk 0.07cvss epss 0.99

    Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0…

  • CVE-2020-29453Feb 18, 2021
    risk 0.07cvss epss 0.23

    The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center before version 8.5.11, from 8.6.0 before 8.13.3, and from 8.14.0 before 8.15.0 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an…

  • CVE-2020-14179Sep 21, 2020
    risk 0.07cvss epss 0.76

    Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before…

  • CVE-2019-8442May 22, 2019
    risk 0.07cvss epss 0.60

    The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access…

  • CVE-2019-3403May 22, 2019
    risk 0.07cvss epss 0.53

    The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.

  • CVE-2019-3394Aug 29, 2019
    risk 0.06cvss epss 0.11

    There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An attacker with permission to editing a page is able to exploit this issue to read arbitrary file on the server under /confluence/WEB-INF…

  • CVE-2019-8446Aug 23, 2019
    risk 0.06cvss epss 0.18

    The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check.

  • CVE-2020-36287Apr 9, 2021
    risk 0.05cvss epss 0.09

    The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions…

  • CVE-2019-3401May 22, 2019
    risk 0.05cvss epss 0.13

    The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.

Page 3 of 10