Vendor CVEs
Atlassian
All CVEs
471 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-36234 | 0.00 | — | 0.01 | Feb 15, 2021 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3,… | |||
| CVE-2020-36237 | 0.00 | — | 0.01 | Feb 14, 2021 | Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0. | |||
| CVE-2020-36236 | 0.00 | — | 0.01 | Feb 14, 2021 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version… | |||
| CVE-2020-36235 | 0.00 | — | 0.02 | Feb 14, 2021 | Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version… | |||
| CVE-2020-14192 | 0.00 | — | 0.01 | Feb 1, 2021 | Affected versions of Atlassian Fisheye and Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics. The affected versions are before version 4.8.4. | |||
| CVE-2020-36231 | 0.00 | — | 0.01 | Feb 1, 2021 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0… | |||
| CVE-2021-26067 | 0.00 | — | 0.01 | Jan 28, 2021 | Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The… | |||
| CVE-2020-29450 | 0.00 | — | 0.02 | Jan 19, 2021 | Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0. | |||
| CVE-2020-29446 | 0.00 | — | 0.01 | Jan 18, 2021 | Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5. | |||
| CVE-2020-29447 | 0.00 | — | 0.01 | Dec 21, 2020 | Affected versions of Atlassian Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the file upload request feature of code reviews. The affected versions are before version 4.7.4, and from version 4.8.0 before… | |||
| CVE-2020-14193 | 0.00 | — | 0.01 | Nov 30, 2020 | Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & /jira/bin directories via a template injection vulnerability in Jira smart values using mustache… | |||
| CVE-2020-14190 | 0.00 | — | 0.01 | Nov 25, 2020 | Affected versions of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL. The affected versions are before version 4.8.4. | |||
| CVE-2020-14191 | 0.00 | — | 0.01 | Nov 25, 2020 | Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4. | |||
| CVE-2020-14189 | 0.00 | — | 0.02 | Nov 9, 2020 | The execute function in in the Atlassian gajira-comment GitHub Action before version 2.0.2 allows remote attackers to execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue comment. | |||
| CVE-2020-14188 | 0.00 | — | 0.03 | Nov 9, 2020 | The preprocessArgs function in the Atlassian gajira-create GitHub Action before version 2.0.1 allows remote attackers to execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue. | |||
| CVE-2020-14185 | 0.00 | — | 0.02 | Oct 15, 2020 | Affected versions of Jira Server allow remote unauthenticated attackers to enumerate issue keys via a missing permissions check in the ActionsAndOperations resource. The affected versions are before 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before version… | |||
| CVE-2020-14184 | 0.00 | — | 0.01 | Oct 12, 2020 | Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in Jira issue filter export files. The affected versions are before 8.5.9, from version 8.6.0 before 8.12.3, and from version… | |||
| CVE-2020-14183 | 0.00 | — | 0.01 | Oct 6, 2020 | Affected versions of Jira Server & Data Center allow a remote attacker with limited (non-admin) privileges to view a Jira instance's Support Entitlement Number (SEN) via an Information Disclosure vulnerability in the HTTP Response headers. The affected versions are before… | |||
| CVE-2019-20903 | 0.00 | — | 0.01 | Oct 1, 2020 | The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets. | |||
| CVE-2019-20902 | 0.00 | — | 0.01 | Oct 1, 2020 | Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1. | |||
| CVE-2020-14177 | 0.00 | — | 0.02 | Sep 21, 2020 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0… | |||
| CVE-2020-14180 | 0.00 | — | 0.01 | Sep 21, 2020 | Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The… | |||
| CVE-2020-14178 | 0.00 | — | 0.03 | Sep 1, 2020 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version 8.0.0 before 8.5.8, and from… | |||
| CVE-2020-24897 | 0.00 | — | 0.01 | Aug 29, 2020 | The Table Filter and Charts for Confluence Server app before 5.3.25 (for Atlassian Confluence) allow remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) through the provided Markdown markup to the "Table from CSV" macro. | |||
| CVE-2017-18112 | 0.00 | — | 0.01 | Aug 5, 2020 | Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3. | |||
| CVE-2020-14175 | 0.00 | — | 0.01 | Jul 24, 2020 | Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in user macro parameters. The affected versions are before version 7.4.2, and from version 7.5.0 before… | |||
| CVE-2019-20901 | 0.00 | — | 0.01 | Jul 13, 2020 | The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter. | |||
| CVE-2020-14174 | 0.00 | — | 0.01 | Jul 13, 2020 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from… | |||
| CVE-2019-20900 | 0.00 | — | 0.01 | Jul 13, 2020 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0. | |||
| CVE-2019-20899 | 0.00 | — | 0.02 | Jul 13, 2020 | The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1. | |||
| CVE-2019-20898 | 0.00 | — | 0.01 | Jul 13, 2020 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0. | |||
| CVE-2019-20897 | 0.00 | — | 0.02 | Jul 13, 2020 | The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before… | |||
| CVE-2020-14170 | 0.00 | — | 0.01 | Jul 9, 2020 | Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability. | |||
| CVE-2020-14171 | 0.00 | — | 0.01 | Jul 9, 2020 | Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack. | |||
| CVE-2020-14173 | 0.00 | — | 0.01 | Jul 3, 2020 | The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2,… | |||
| CVE-2020-14172 | 0.00 | — | 0.03 | Jul 3, 2020 | This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center in affected versions allowed remote attackers… | |||
| CVE-2019-20419 | 0.00 | — | 0.01 | Jul 3, 2020 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to execute arbitrary code via a DLL hijacking vulnerability in Tomcat. The affected versions are before version 8.5.5, and from version 8.6.0 before 8.7.2. | |||
| CVE-2019-20418 | 0.00 | — | 0.01 | Jul 3, 2020 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. The affected versions are before version 8.8.0. | |||
| CVE-2020-4029 | 0.00 | — | 0.01 | Jul 1, 2020 | The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability. | |||
| CVE-2020-4027 | 0.00 | — | 0.02 | Jul 1, 2020 | Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version… | |||
| CVE-2020-4025 | 0.00 | — | 0.01 | Jul 1, 2020 | The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or… | |||
| CVE-2020-4024 | 0.00 | — | 0.01 | Jul 1, 2020 | The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a… | |||
| CVE-2020-4022 | 0.00 | — | 0.01 | Jul 1, 2020 | The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a… | |||
| CVE-2020-14169 | 0.00 | — | 0.01 | Jul 1, 2020 | The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability | |||
| CVE-2020-14168 | 0.00 | — | 0.02 | Jul 1, 2020 | The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM)… | |||
| CVE-2020-14167 | 0.00 | — | 0.02 | Jul 1, 2020 | The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application's availability via an Denial of Service (DoS) vulnerability. | |||
| CVE-2020-14165 | 0.00 | — | 0.01 | Jul 1, 2020 | The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability. | |||
| CVE-2020-14164 | 0.00 | — | 0.01 | Jul 1, 2020 | The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field. | |||
| CVE-2019-20408 | 0.00 | — | 0.01 | Jul 1, 2020 | The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class. | |||
| CVE-2019-20416 | 0.00 | — | 0.01 | Jun 30, 2020 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0. |
- CVE-2020-36234Feb 15, 2021risk 0.00cvss —epss 0.01
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3,…
- CVE-2020-36237Feb 14, 2021risk 0.00cvss —epss 0.01
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0.
- CVE-2020-36236Feb 14, 2021risk 0.00cvss —epss 0.01
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version…
- CVE-2020-36235Feb 14, 2021risk 0.00cvss —epss 0.02
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version…
- CVE-2020-14192Feb 1, 2021risk 0.00cvss —epss 0.01
Affected versions of Atlassian Fisheye and Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics. The affected versions are before version 4.8.4.
- CVE-2020-36231Feb 1, 2021risk 0.00cvss —epss 0.01
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0…
- CVE-2021-26067Jan 28, 2021risk 0.00cvss —epss 0.01
Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The…
- CVE-2020-29450Jan 19, 2021risk 0.00cvss —epss 0.02
Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0.
- CVE-2020-29446Jan 18, 2021risk 0.00cvss —epss 0.01
Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5.
- CVE-2020-29447Dec 21, 2020risk 0.00cvss —epss 0.01
Affected versions of Atlassian Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the file upload request feature of code reviews. The affected versions are before version 4.7.4, and from version 4.8.0 before…
- CVE-2020-14193Nov 30, 2020risk 0.00cvss —epss 0.01
Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & /jira/bin directories via a template injection vulnerability in Jira smart values using mustache…
- CVE-2020-14190Nov 25, 2020risk 0.00cvss —epss 0.01
Affected versions of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL. The affected versions are before version 4.8.4.
- CVE-2020-14191Nov 25, 2020risk 0.00cvss —epss 0.01
Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4.
- CVE-2020-14189Nov 9, 2020risk 0.00cvss —epss 0.02
The execute function in in the Atlassian gajira-comment GitHub Action before version 2.0.2 allows remote attackers to execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue comment.
- CVE-2020-14188Nov 9, 2020risk 0.00cvss —epss 0.03
The preprocessArgs function in the Atlassian gajira-create GitHub Action before version 2.0.1 allows remote attackers to execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue.
- CVE-2020-14185Oct 15, 2020risk 0.00cvss —epss 0.02
Affected versions of Jira Server allow remote unauthenticated attackers to enumerate issue keys via a missing permissions check in the ActionsAndOperations resource. The affected versions are before 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before version…
- CVE-2020-14184Oct 12, 2020risk 0.00cvss —epss 0.01
Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in Jira issue filter export files. The affected versions are before 8.5.9, from version 8.6.0 before 8.12.3, and from version…
- CVE-2020-14183Oct 6, 2020risk 0.00cvss —epss 0.01
Affected versions of Jira Server & Data Center allow a remote attacker with limited (non-admin) privileges to view a Jira instance's Support Entitlement Number (SEN) via an Information Disclosure vulnerability in the HTTP Response headers. The affected versions are before…
- CVE-2019-20903Oct 1, 2020risk 0.00cvss —epss 0.01
The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets.
- CVE-2019-20902Oct 1, 2020risk 0.00cvss —epss 0.01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.
- CVE-2020-14177Sep 21, 2020risk 0.00cvss —epss 0.02
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0…
- CVE-2020-14180Sep 21, 2020risk 0.00cvss —epss 0.01
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The…
- CVE-2020-14178Sep 1, 2020risk 0.00cvss —epss 0.03
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version 8.0.0 before 8.5.8, and from…
- CVE-2020-24897Aug 29, 2020risk 0.00cvss —epss 0.01
The Table Filter and Charts for Confluence Server app before 5.3.25 (for Atlassian Confluence) allow remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) through the provided Markdown markup to the "Table from CSV" macro.
- CVE-2017-18112Aug 5, 2020risk 0.00cvss —epss 0.01
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
- CVE-2020-14175Jul 24, 2020risk 0.00cvss —epss 0.01
Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in user macro parameters. The affected versions are before version 7.4.2, and from version 7.5.0 before…
- CVE-2019-20901Jul 13, 2020risk 0.00cvss —epss 0.01
The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.
- CVE-2020-14174Jul 13, 2020risk 0.00cvss —epss 0.01
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from…
- CVE-2019-20900Jul 13, 2020risk 0.00cvss —epss 0.01
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0.
- CVE-2019-20899Jul 13, 2020risk 0.00cvss —epss 0.02
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.
- CVE-2019-20898Jul 13, 2020risk 0.00cvss —epss 0.01
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
- CVE-2019-20897Jul 13, 2020risk 0.00cvss —epss 0.02
The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before…
- CVE-2020-14170Jul 9, 2020risk 0.00cvss —epss 0.01
Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability.
- CVE-2020-14171Jul 9, 2020risk 0.00cvss —epss 0.01
Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack.
- CVE-2020-14173Jul 3, 2020risk 0.00cvss —epss 0.01
The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2,…
- CVE-2020-14172Jul 3, 2020risk 0.00cvss —epss 0.03
This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center in affected versions allowed remote attackers…
- CVE-2019-20419Jul 3, 2020risk 0.00cvss —epss 0.01
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to execute arbitrary code via a DLL hijacking vulnerability in Tomcat. The affected versions are before version 8.5.5, and from version 8.6.0 before 8.7.2.
- CVE-2019-20418Jul 3, 2020risk 0.00cvss —epss 0.01
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. The affected versions are before version 8.8.0.
- CVE-2020-4029Jul 1, 2020risk 0.00cvss —epss 0.01
The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability.
- CVE-2020-4027Jul 1, 2020risk 0.00cvss —epss 0.02
Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version…
- CVE-2020-4025Jul 1, 2020risk 0.00cvss —epss 0.01
The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or…
- CVE-2020-4024Jul 1, 2020risk 0.00cvss —epss 0.01
The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a…
- CVE-2020-4022Jul 1, 2020risk 0.00cvss —epss 0.01
The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a…
- CVE-2020-14169Jul 1, 2020risk 0.00cvss —epss 0.01
The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability
- CVE-2020-14168Jul 1, 2020risk 0.00cvss —epss 0.02
The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM)…
- CVE-2020-14167Jul 1, 2020risk 0.00cvss —epss 0.02
The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application's availability via an Denial of Service (DoS) vulnerability.
- CVE-2020-14165Jul 1, 2020risk 0.00cvss —epss 0.01
The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability.
- CVE-2020-14164Jul 1, 2020risk 0.00cvss —epss 0.01
The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field.
- CVE-2019-20408Jul 1, 2020risk 0.00cvss —epss 0.01
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
- CVE-2019-20416Jun 30, 2020risk 0.00cvss —epss 0.01
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0.
Page 7 of 10