Vendor CVEs
Atlassian
All CVEs
471 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-20415 | 0.00 | — | 0.01 | Jun 30, 2020 | Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before 8.1.0. | |||
| CVE-2019-20414 | 0.00 | — | 0.01 | Jun 29, 2020 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before… | |||
| CVE-2019-20413 | 0.00 | — | 0.02 | Jun 29, 2020 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability on the UserPickerBrowser.jspa page. The affected versions are before version 7.13.9, and from version 8.0.0… | |||
| CVE-2019-20412 | 0.00 | — | 0.02 | Jun 29, 2020 | The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue… | |||
| CVE-2019-20411 | 0.00 | — | 0.01 | Jun 29, 2020 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2. | |||
| CVE-2019-20410 | 0.00 | — | 0.02 | Jun 29, 2020 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. The affected versions are before version 7.6.17, from version 7.7.0 before 7.13.9, and… | |||
| CVE-2020-4028 | 0.00 | — | 0.01 | Jun 23, 2020 | Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure… | |||
| CVE-2019-20409 | 0.00 | — | 0.02 | Jun 23, 2020 | The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.0 allowed remote attackers to gain remote code execution if they were able to exploit a server side template injection vulnerability. | |||
| CVE-2020-4026 | 0.00 | — | 0.01 | Jun 2, 2020 | The CustomAppsRestResource list resource in Atlassian Navigator Links before version 3.3.23, from version 4.0.0 before version 4.3.7, from version 5.0.0 before 5.0.1, and from version 5.1.0 before 5.1.1 allows remote attackers to enumerate all linked applications, including… | |||
| CVE-2020-4023 | 0.00 | — | 0.01 | Jun 1, 2020 | The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the committerFilter parameter. | |||
| CVE-2020-4021 | 0.00 | — | 0.01 | Jun 1, 2020 | Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view. | |||
| CVE-2020-4020 | 0.00 | — | 0.02 | Jun 1, 2020 | The file downloading functionality in the Atlassian Companion App before version 1.0.0 allows remote attackers, who control a Confluence Server instance that the Companion App is connected to, execute arbitrary .exe files via a Protection Mechanism Failure. | |||
| CVE-2020-4019 | 0.00 | — | 0.00 | Jun 1, 2020 | The file editing functionality in the Atlassian Companion App before version 1.0.0 allows local attackers to have the app run a different executable in place of the app's cmd.exe via a untrusted search path vulnerability. | |||
| CVE-2020-4018 | 0.00 | — | 0.01 | Jun 1, 2020 | The setup resources in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to complete the setup process via a cross-site request forgery (CSRF) vulnerability. | |||
| CVE-2020-4017 | 0.00 | — | 0.01 | Jun 1, 2020 | The /rest/jira-ril/1.0/jira-rest/applinks resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to get information about any configured Jira application links via an information disclosure vulnerability. | |||
| CVE-2020-4016 | 0.00 | — | 0.01 | Jun 1, 2020 | The /plugins/servlet/jira-blockers/ resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to get the ID of configured Jira application links via an information disclosure vulnerability. | |||
| CVE-2020-4015 | 0.00 | — | 0.01 | Jun 1, 2020 | The /json/fe/activeUserFinder.do resource in Altassian Fisheye and Crucible before version 4.8.1 allows remote attackers to view user user email addresses via a information disclosure vulnerability. | |||
| CVE-2020-4014 | 0.00 | — | 0.01 | Jun 1, 2020 | The /profile/deleteWatch.do resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to remove another user's watching settings for a repository via an improper authorization vulnerability. | |||
| CVE-2020-4013 | 0.00 | — | 0.01 | Jun 1, 2020 | The review resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the review objectives. | |||
| CVE-2019-20102 | 0.00 | — | 0.01 | Apr 22, 2020 | The attachment-uploading feature in Atlassian Confluence Server from version 6.14.0 through version 6.14.3, and version 6.15.0 before version 6.15.5 allows remote attackers to achieve stored cross-site- scripting (SXSS) via a malicious attachment with a modified `mimeType`… | |||
| CVE-2019-20407 | 0.00 | — | 0.01 | Mar 17, 2020 | The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check. | |||
| CVE-2019-20105 | 0.00 | — | 0.01 | Mar 17, 2020 | The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote… | |||
| CVE-2019-20100 | 0.00 | — | 0.01 | Feb 12, 2020 | The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version… | |||
| CVE-2019-20099 | 0.00 | — | 0.01 | Feb 12, 2020 | The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the… | |||
| CVE-2019-20098 | 0.00 | — | 0.01 | Feb 12, 2020 | The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the… | |||
| CVE-2019-20406 | 0.00 | — | 0.00 | Feb 6, 2020 | The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, and from version 7.1.0 before version 7.1.1 allows local system attackers who have permission to write a DLL file in a directory in the global path environmental variable variable… | |||
| CVE-2019-20405 | 0.00 | — | 0.01 | Feb 6, 2020 | The JMX monitoring flag in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to turn the JMX monitoring flag off or on via a Cross-site request forgery (CSRF) vulnerability. | |||
| CVE-2019-20404 | 0.00 | — | 0.01 | Feb 6, 2020 | The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability. | |||
| CVE-2019-20403 | 0.00 | — | 0.01 | Feb 6, 2020 | The API in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to determine if a Jira project key exists or not via an information disclosure vulnerability. | |||
| CVE-2019-20402 | 0.00 | — | 0.01 | Feb 6, 2020 | Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability. | |||
| CVE-2019-20401 | 0.00 | — | 0.01 | Feb 6, 2020 | Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery (CSRF) vulnerabilities. | |||
| CVE-2019-20400 | 0.00 | — | 0.00 | Feb 6, 2020 | The usage of Tomcat in Jira before version 8.5.2 allows local attackers with permission to write a dll file to a directory in the global path environmental variable can inject code into via a DLL hijacking vulnerability. | |||
| CVE-2019-20106 | 0.00 | — | 0.01 | Feb 6, 2020 | Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control… | |||
| CVE-2019-20104 | 0.00 | — | 0.02 | Feb 6, 2020 | The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability. | |||
| CVE-2019-20097 | 0.00 | — | 0.02 | Jan 15, 2020 | Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before… | |||
| CVE-2019-15012 | 0.00 | — | 0.02 | Jan 15, 2020 | Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3,… | |||
| CVE-2019-15010 | 0.00 | — | 0.03 | Jan 15, 2020 | Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from… | |||
| CVE-2019-15013 | 0.00 | — | 0.01 | Dec 18, 2019 | The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue… | |||
| CVE-2019-15011 | 0.00 | — | 0.01 | Dec 17, 2019 | The ListEntityLinksServlet resource in Application Links before version 5.0.12, from version 5.1.0 before version 5.2.11, from version 5.3.0 before version 5.3.7, from version 5.4.0 before 5.4.13, and from version 6.0.0 before 6.0.5 disclosed application link information to… | |||
| CVE-2017-18107 | 0.00 | — | 0.00 | Dec 17, 2019 | Various resources in the Crowd Demo application of Atlassian Crowd before version 3.1.1 allow remote attackers to modify add, modify and delete users & groups via a Cross-site request forgery (CSRF) vulnerability. Please be aware that the Demo application is not enabled by… | |||
| CVE-2019-19748 | 0.00 | — | 0.01 | Dec 12, 2019 | The Work Time Calendar app before 4.7.1 for Jira allows XSS. | |||
| CVE-2019-15009 | 0.00 | — | 0.01 | Dec 11, 2019 | The /json/profile/removeStarAjax.do resource in Atlassian Fisheye and Crucible before version 4.8.0 allows remote attackers to remove another user's favourite setting for a project via an improper authorization vulnerability. | |||
| CVE-2019-15008 | 0.00 | — | 0.01 | Dec 11, 2019 | The /plugins/servlet/branchreview resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the reviewedBranch parameter. | |||
| CVE-2019-15007 | 0.00 | — | 0.01 | Dec 11, 2019 | The review resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch. | |||
| CVE-2019-15005 | 0.00 | — | 0.01 | Nov 8, 2019 | The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration… | |||
| CVE-2019-15004 | 0.00 | — | 0.04 | Nov 7, 2019 | The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with… | |||
| CVE-2019-15003 | 0.00 | — | 0.02 | Nov 7, 2019 | The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with… | |||
| CVE-2019-14994 | 0.00 | — | 0.05 | Sep 19, 2019 | The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before… | |||
| CVE-2019-8450 | 0.00 | — | 0.01 | Sep 11, 2019 | Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the… | |||
| CVE-2019-14998 | 0.00 | — | 0.01 | Sep 11, 2019 | The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via "cookie tossing" a CSRF cookie from a subdomain of a Jira instance. |
- CVE-2019-20415Jun 30, 2020risk 0.00cvss —epss 0.01
Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before 8.1.0.
- CVE-2019-20414Jun 29, 2020risk 0.00cvss —epss 0.01
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before…
- CVE-2019-20413Jun 29, 2020risk 0.00cvss —epss 0.02
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability on the UserPickerBrowser.jspa page. The affected versions are before version 7.13.9, and from version 8.0.0…
- CVE-2019-20412Jun 29, 2020risk 0.00cvss —epss 0.02
The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue…
- CVE-2019-20411Jun 29, 2020risk 0.00cvss —epss 0.01
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.
- CVE-2019-20410Jun 29, 2020risk 0.00cvss —epss 0.02
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. The affected versions are before version 7.6.17, from version 7.7.0 before 7.13.9, and…
- CVE-2020-4028Jun 23, 2020risk 0.00cvss —epss 0.01
Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure…
- CVE-2019-20409Jun 23, 2020risk 0.00cvss —epss 0.02
The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.0 allowed remote attackers to gain remote code execution if they were able to exploit a server side template injection vulnerability.
- CVE-2020-4026Jun 2, 2020risk 0.00cvss —epss 0.01
The CustomAppsRestResource list resource in Atlassian Navigator Links before version 3.3.23, from version 4.0.0 before version 4.3.7, from version 5.0.0 before 5.0.1, and from version 5.1.0 before 5.1.1 allows remote attackers to enumerate all linked applications, including…
- CVE-2020-4023Jun 1, 2020risk 0.00cvss —epss 0.01
The review coverage resource in Atlassian Fisheye and Crucible before version 4.8.2 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the committerFilter parameter.
- CVE-2020-4021Jun 1, 2020risk 0.00cvss —epss 0.01
Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view.
- CVE-2020-4020Jun 1, 2020risk 0.00cvss —epss 0.02
The file downloading functionality in the Atlassian Companion App before version 1.0.0 allows remote attackers, who control a Confluence Server instance that the Companion App is connected to, execute arbitrary .exe files via a Protection Mechanism Failure.
- CVE-2020-4019Jun 1, 2020risk 0.00cvss —epss 0.00
The file editing functionality in the Atlassian Companion App before version 1.0.0 allows local attackers to have the app run a different executable in place of the app's cmd.exe via a untrusted search path vulnerability.
- CVE-2020-4018Jun 1, 2020risk 0.00cvss —epss 0.01
The setup resources in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to complete the setup process via a cross-site request forgery (CSRF) vulnerability.
- CVE-2020-4017Jun 1, 2020risk 0.00cvss —epss 0.01
The /rest/jira-ril/1.0/jira-rest/applinks resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to get information about any configured Jira application links via an information disclosure vulnerability.
- CVE-2020-4016Jun 1, 2020risk 0.00cvss —epss 0.01
The /plugins/servlet/jira-blockers/ resource in the crucible-jira-ril plugin in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to get the ID of configured Jira application links via an information disclosure vulnerability.
- CVE-2020-4015Jun 1, 2020risk 0.00cvss —epss 0.01
The /json/fe/activeUserFinder.do resource in Altassian Fisheye and Crucible before version 4.8.1 allows remote attackers to view user user email addresses via a information disclosure vulnerability.
- CVE-2020-4014Jun 1, 2020risk 0.00cvss —epss 0.01
The /profile/deleteWatch.do resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to remove another user's watching settings for a repository via an improper authorization vulnerability.
- CVE-2020-4013Jun 1, 2020risk 0.00cvss —epss 0.01
The review resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the review objectives.
- CVE-2019-20102Apr 22, 2020risk 0.00cvss —epss 0.01
The attachment-uploading feature in Atlassian Confluence Server from version 6.14.0 through version 6.14.3, and version 6.15.0 before version 6.15.5 allows remote attackers to achieve stored cross-site- scripting (SXSS) via a malicious attachment with a modified `mimeType`…
- CVE-2019-20407Mar 17, 2020risk 0.00cvss —epss 0.01
The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check.
- CVE-2019-20105Mar 17, 2020risk 0.00cvss —epss 0.01
The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote…
- CVE-2019-20100Feb 12, 2020risk 0.00cvss —epss 0.01
The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version…
- CVE-2019-20099Feb 12, 2020risk 0.00cvss —epss 0.01
The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the…
- CVE-2019-20098Feb 12, 2020risk 0.00cvss —epss 0.01
The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the…
- CVE-2019-20406Feb 6, 2020risk 0.00cvss —epss 0.00
The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, and from version 7.1.0 before version 7.1.1 allows local system attackers who have permission to write a DLL file in a directory in the global path environmental variable variable…
- CVE-2019-20405Feb 6, 2020risk 0.00cvss —epss 0.01
The JMX monitoring flag in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to turn the JMX monitoring flag off or on via a Cross-site request forgery (CSRF) vulnerability.
- CVE-2019-20404Feb 6, 2020risk 0.00cvss —epss 0.01
The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability.
- CVE-2019-20403Feb 6, 2020risk 0.00cvss —epss 0.01
The API in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to determine if a Jira project key exists or not via an information disclosure vulnerability.
- CVE-2019-20402Feb 6, 2020risk 0.00cvss —epss 0.01
Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability.
- CVE-2019-20401Feb 6, 2020risk 0.00cvss —epss 0.01
Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery (CSRF) vulnerabilities.
- CVE-2019-20400Feb 6, 2020risk 0.00cvss —epss 0.00
The usage of Tomcat in Jira before version 8.5.2 allows local attackers with permission to write a dll file to a directory in the global path environmental variable can inject code into via a DLL hijacking vulnerability.
- CVE-2019-20106Feb 6, 2020risk 0.00cvss —epss 0.01
Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control…
- CVE-2019-20104Feb 6, 2020risk 0.00cvss —epss 0.02
The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability.
- CVE-2019-20097Jan 15, 2020risk 0.00cvss —epss 0.02
Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before…
- CVE-2019-15012Jan 15, 2020risk 0.00cvss —epss 0.02
Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3,…
- CVE-2019-15010Jan 15, 2020risk 0.00cvss —epss 0.03
Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from…
- CVE-2019-15013Dec 18, 2019risk 0.00cvss —epss 0.01
The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue…
- CVE-2019-15011Dec 17, 2019risk 0.00cvss —epss 0.01
The ListEntityLinksServlet resource in Application Links before version 5.0.12, from version 5.1.0 before version 5.2.11, from version 5.3.0 before version 5.3.7, from version 5.4.0 before 5.4.13, and from version 6.0.0 before 6.0.5 disclosed application link information to…
- CVE-2017-18107Dec 17, 2019risk 0.00cvss —epss 0.00
Various resources in the Crowd Demo application of Atlassian Crowd before version 3.1.1 allow remote attackers to modify add, modify and delete users & groups via a Cross-site request forgery (CSRF) vulnerability. Please be aware that the Demo application is not enabled by…
- CVE-2019-19748Dec 12, 2019risk 0.00cvss —epss 0.01
The Work Time Calendar app before 4.7.1 for Jira allows XSS.
- CVE-2019-15009Dec 11, 2019risk 0.00cvss —epss 0.01
The /json/profile/removeStarAjax.do resource in Atlassian Fisheye and Crucible before version 4.8.0 allows remote attackers to remove another user's favourite setting for a project via an improper authorization vulnerability.
- CVE-2019-15008Dec 11, 2019risk 0.00cvss —epss 0.01
The /plugins/servlet/branchreview resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the reviewedBranch parameter.
- CVE-2019-15007Dec 11, 2019risk 0.00cvss —epss 0.01
The review resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch.
- CVE-2019-15005Nov 8, 2019risk 0.00cvss —epss 0.01
The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration…
- CVE-2019-15004Nov 7, 2019risk 0.00cvss —epss 0.04
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with…
- CVE-2019-15003Nov 7, 2019risk 0.00cvss —epss 0.02
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with…
- CVE-2019-14994Sep 19, 2019risk 0.00cvss —epss 0.05
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before…
- CVE-2019-8450Sep 11, 2019risk 0.00cvss —epss 0.01
Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the…
- CVE-2019-14998Sep 11, 2019risk 0.00cvss —epss 0.01
The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via "cookie tossing" a CSRF cookie from a subdomain of a Jira instance.
Page 8 of 10