Vendor CVEs
Atlassian
All CVEs
471 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-14997 | 0.00 | — | 0.01 | Sep 11, 2019 | The AccessLogFilter class in Jira before version 8.4.0 allows remote anonymous attackers to learn details about other users, including their username, via an information expose through caching vulnerability when Jira is configured with a reverse Proxy and or a load balancer with… | |||
| CVE-2019-14996 | 0.00 | — | 0.01 | Sep 11, 2019 | The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter. | |||
| CVE-2019-14995 | 0.00 | — | 0.03 | Sep 11, 2019 | The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to determine if an attachment with a specific name exists and if an issue key is valid via a missing permissions check. | |||
| CVE-2019-8447 | 0.00 | — | 0.01 | Aug 23, 2019 | The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability. | |||
| CVE-2019-8445 | 0.00 | — | 0.03 | Aug 23, 2019 | Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check. | |||
| CVE-2019-8444 | 0.00 | — | 0.01 | Aug 23, 2019 | The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification. | |||
| CVE-2019-14999 | 0.00 | — | 0.01 | Aug 23, 2019 | The Uninstall REST endpoint in Atlassian Universal Plugin Manager before version 2.22.19, from version 3.0.0 before version 3.0.3 and from version 4.0.0 before version 4.0.3 allows remote attackers to uninstall plugins using a Cross-Site Request Forgery (CSRF) vulnerability on… | |||
| CVE-2019-11589 | 0.00 | — | 0.01 | Aug 23, 2019 | The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via… | |||
| CVE-2019-11588 | 0.00 | — | 0.01 | Aug 23, 2019 | The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability. | |||
| CVE-2019-11587 | 0.00 | — | 0.01 | Aug 23, 2019 | Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF). | |||
| CVE-2019-11586 | 0.00 | — | 0.01 | Aug 23, 2019 | The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability. | |||
| CVE-2019-11585 | 0.00 | — | 0.01 | Aug 23, 2019 | The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open… | |||
| CVE-2019-11584 | 0.00 | — | 0.01 | Aug 23, 2019 | The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the priority icon url of an issue priority. | |||
| CVE-2019-15233 | 0.00 | — | 0.01 | Aug 20, 2019 | The Live:Text Box macro in the Old Street Live Input Macros app before 2.11 for Confluence has XSS, leading to theft of the Administrator Session Cookie. | |||
| CVE-2019-15053 | 0.00 | — | 0.01 | Aug 14, 2019 | The "HTML Include and replace macro" plugin before 1.5.0 for Confluence Server allows a bypass of the includeScripts=false XSS protection mechanism via vectors involving an IFRAME element. | |||
| CVE-2019-8448 | 0.00 | — | 0.02 | Aug 13, 2019 | The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability. | |||
| CVE-2018-20826 | 0.00 | — | 0.01 | Aug 9, 2019 | The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check. | |||
| CVE-2018-20827 | 0.00 | — | 0.01 | Aug 9, 2019 | The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter. | |||
| CVE-2019-11583 | 0.00 | — | 0.01 | Jun 26, 2019 | The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by "Epic Name". | |||
| CVE-2019-11582 | 0.00 | — | 0.05 | Jun 14, 2019 | An argument injection vulnerability in Atlassian Sourcetree for Windows's URI handlers, in all versions prior to 3.1.3, allows remote attackers to gain remote code execution through the use of a crafted URI. | |||
| CVE-2019-3397 | 0.00 | — | 0.05 | Jun 3, 2019 | Atlassian Bitbucket Data Center licensed instances starting with version 5.13.0 before 5.13.6 (the fixed version for 5.13.x), from 5.14.0 before 5.14.4 (fixed version for 5.14.x), from 5.15.0 before 5.15.3 (fixed version for 5.15.x), from 5.16.0 before 5.16.3 (fixed version for… | |||
| CVE-2019-8443 | 0.00 | — | 0.03 | May 22, 2019 | The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without… | |||
| CVE-2019-3400 | 0.00 | — | 0.01 | May 3, 2019 | The labels gadget in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jql parameter. | |||
| CVE-2019-3399 | 0.00 | — | 0.02 | Apr 30, 2019 | The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check. | |||
| CVE-2018-20239 | 0.00 | — | 0.03 | Apr 30, 2019 | Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS)… | |||
| CVE-2017-18111 | 0.00 | — | 0.02 | Mar 29, 2019 | The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. This allowed malicious oauth… | |||
| CVE-2017-18110 | 0.00 | — | 0.01 | Mar 29, 2019 | The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability. | |||
| CVE-2017-18109 | 0.00 | — | 0.01 | Mar 29, 2019 | The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect. | |||
| CVE-2017-18108 | 0.00 | — | 0.02 | Mar 29, 2019 | The administration SMTP configuration resource in Atlassian Crowd before version 2.10.2 allows remote attackers with administration rights to execute arbitrary code via a JNDI injection. | |||
| CVE-2017-18106 | 0.00 | — | 0.01 | Mar 29, 2019 | The identifier_hash for a session token in Atlassian Crowd before version 2.9.1 could potentially collide with an identifier_hash for another user or a user in a different directory, this allows remote attackers who can authenticate to Crowd or an application using Crowd for… | |||
| CVE-2017-18105 | 0.00 | — | 0.01 | Mar 29, 2019 | The console login resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers, who have previously obtained a user's JSESSIONID cookie, to gain access to some of the built-in and potentially third party rest resources via… | |||
| CVE-2018-19498 | 0.00 | — | 0.02 | Mar 17, 2019 | The Simplenia Pages plugin 2.6.0 for Atlassian Bitbucket Server has XSS. | |||
| CVE-2018-20234 | 0.00 | — | 0.06 | Mar 8, 2019 | There was an argument injection vulnerability in Atlassian Sourcetree for macOS from version 1.2 before version 3.1.1 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit… | |||
| CVE-2018-20235 | 0.00 | — | 0.07 | Mar 8, 2019 | There was an argument injection vulnerability in Atlassian Sourcetree for Windows from version 0.5a before version 3.0.15 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to… | |||
| CVE-2018-20236 | 0.00 | — | 0.06 | Mar 8, 2019 | There was an command injection vulnerability in Sourcetree for Windows from version 0.5a before version 3.0.10 via URI handling. A remote attacker could send a malicious URI to a victim using Sourcetree for Windows to exploit this issue to gain code execution on the system. | |||
| CVE-2018-20241 | 0.00 | — | 0.01 | Feb 20, 2019 | The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the wbuser parameter. | |||
| CVE-2018-20240 | 0.00 | — | 0.01 | Feb 20, 2019 | The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter. | |||
| CVE-2018-13404 | 0.00 | — | 0.01 | Feb 13, 2019 | The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before… | |||
| CVE-2018-20237 | 0.00 | — | 0.02 | Feb 13, 2019 | Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature. | |||
| CVE-2018-13403 | 0.00 | — | 0.01 | Feb 13, 2019 | The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS)… | |||
| CVE-2018-20232 | 0.00 | — | 0.01 | Feb 13, 2019 | The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location… | |||
| CVE-2018-20238 | 0.00 | — | 0.02 | Feb 13, 2019 | Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability. | |||
| CVE-2016-10740 | 0.00 | — | 0.01 | Jan 29, 2019 | Various resources in Atlassian Crowd before version 2.10.1 allow remote attackers with administration rights to learn the passwords of configured LDAP directories by examining the responses to requests for these resources. | |||
| CVE-2018-20233 | 0.00 | — | 0.02 | Jan 18, 2019 | The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the… | |||
| CVE-2018-13396 | 0.00 | — | 0.02 | Nov 5, 2018 | There was an argument injection vulnerability in Sourcetree for macOS from version 1.0b2 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this… | |||
| CVE-2018-13397 | 0.00 | — | 0.02 | Nov 5, 2018 | There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to… | |||
| CVE-2018-13402 | 0.00 | — | 0.01 | Oct 23, 2018 | Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version… | |||
| CVE-2018-13400 | 0.00 | — | 0.01 | Oct 23, 2018 | Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version… | |||
| CVE-2018-13401 | 0.00 | — | 0.01 | Oct 23, 2018 | The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3,… | |||
| CVE-2018-13399 | 0.00 | — | 0.00 | Oct 16, 2018 | The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory. |
- CVE-2019-14997Sep 11, 2019risk 0.00cvss —epss 0.01
The AccessLogFilter class in Jira before version 8.4.0 allows remote anonymous attackers to learn details about other users, including their username, via an information expose through caching vulnerability when Jira is configured with a reverse Proxy and or a load balancer with…
- CVE-2019-14996Sep 11, 2019risk 0.00cvss —epss 0.01
The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter.
- CVE-2019-14995Sep 11, 2019risk 0.00cvss —epss 0.03
The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to determine if an attachment with a specific name exists and if an issue key is valid via a missing permissions check.
- CVE-2019-8447Aug 23, 2019risk 0.00cvss —epss 0.01
The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability.
- CVE-2019-8445Aug 23, 2019risk 0.00cvss —epss 0.03
Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check.
- CVE-2019-8444Aug 23, 2019risk 0.00cvss —epss 0.01
The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification.
- CVE-2019-14999Aug 23, 2019risk 0.00cvss —epss 0.01
The Uninstall REST endpoint in Atlassian Universal Plugin Manager before version 2.22.19, from version 3.0.0 before version 3.0.3 and from version 4.0.0 before version 4.0.3 allows remote attackers to uninstall plugins using a Cross-Site Request Forgery (CSRF) vulnerability on…
- CVE-2019-11589Aug 23, 2019risk 0.00cvss —epss 0.01
The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via…
- CVE-2019-11588Aug 23, 2019risk 0.00cvss —epss 0.01
The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability.
- CVE-2019-11587Aug 23, 2019risk 0.00cvss —epss 0.01
Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF).
- CVE-2019-11586Aug 23, 2019risk 0.00cvss —epss 0.01
The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability.
- CVE-2019-11585Aug 23, 2019risk 0.00cvss —epss 0.01
The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open…
- CVE-2019-11584Aug 23, 2019risk 0.00cvss —epss 0.01
The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the priority icon url of an issue priority.
- CVE-2019-15233Aug 20, 2019risk 0.00cvss —epss 0.01
The Live:Text Box macro in the Old Street Live Input Macros app before 2.11 for Confluence has XSS, leading to theft of the Administrator Session Cookie.
- CVE-2019-15053Aug 14, 2019risk 0.00cvss —epss 0.01
The "HTML Include and replace macro" plugin before 1.5.0 for Confluence Server allows a bypass of the includeScripts=false XSS protection mechanism via vectors involving an IFRAME element.
- CVE-2019-8448Aug 13, 2019risk 0.00cvss —epss 0.02
The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
- CVE-2018-20826Aug 9, 2019risk 0.00cvss —epss 0.01
The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check.
- CVE-2018-20827Aug 9, 2019risk 0.00cvss —epss 0.01
The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter.
- CVE-2019-11583Jun 26, 2019risk 0.00cvss —epss 0.01
The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by "Epic Name".
- CVE-2019-11582Jun 14, 2019risk 0.00cvss —epss 0.05
An argument injection vulnerability in Atlassian Sourcetree for Windows's URI handlers, in all versions prior to 3.1.3, allows remote attackers to gain remote code execution through the use of a crafted URI.
- CVE-2019-3397Jun 3, 2019risk 0.00cvss —epss 0.05
Atlassian Bitbucket Data Center licensed instances starting with version 5.13.0 before 5.13.6 (the fixed version for 5.13.x), from 5.14.0 before 5.14.4 (fixed version for 5.14.x), from 5.15.0 before 5.15.3 (fixed version for 5.15.x), from 5.16.0 before 5.16.3 (fixed version for…
- CVE-2019-8443May 22, 2019risk 0.00cvss —epss 0.03
The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without…
- CVE-2019-3400May 3, 2019risk 0.00cvss —epss 0.01
The labels gadget in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jql parameter.
- CVE-2019-3399Apr 30, 2019risk 0.00cvss —epss 0.02
The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check.
- CVE-2018-20239Apr 30, 2019risk 0.00cvss —epss 0.03
Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS)…
- CVE-2017-18111Mar 29, 2019risk 0.00cvss —epss 0.02
The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. This allowed malicious oauth…
- CVE-2017-18110Mar 29, 2019risk 0.00cvss —epss 0.01
The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability.
- CVE-2017-18109Mar 29, 2019risk 0.00cvss —epss 0.01
The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect.
- CVE-2017-18108Mar 29, 2019risk 0.00cvss —epss 0.02
The administration SMTP configuration resource in Atlassian Crowd before version 2.10.2 allows remote attackers with administration rights to execute arbitrary code via a JNDI injection.
- CVE-2017-18106Mar 29, 2019risk 0.00cvss —epss 0.01
The identifier_hash for a session token in Atlassian Crowd before version 2.9.1 could potentially collide with an identifier_hash for another user or a user in a different directory, this allows remote attackers who can authenticate to Crowd or an application using Crowd for…
- CVE-2017-18105Mar 29, 2019risk 0.00cvss —epss 0.01
The console login resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers, who have previously obtained a user's JSESSIONID cookie, to gain access to some of the built-in and potentially third party rest resources via…
- CVE-2018-19498Mar 17, 2019risk 0.00cvss —epss 0.02
The Simplenia Pages plugin 2.6.0 for Atlassian Bitbucket Server has XSS.
- CVE-2018-20234Mar 8, 2019risk 0.00cvss —epss 0.06
There was an argument injection vulnerability in Atlassian Sourcetree for macOS from version 1.2 before version 3.1.1 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit…
- CVE-2018-20235Mar 8, 2019risk 0.00cvss —epss 0.07
There was an argument injection vulnerability in Atlassian Sourcetree for Windows from version 0.5a before version 3.0.15 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to…
- CVE-2018-20236Mar 8, 2019risk 0.00cvss —epss 0.06
There was an command injection vulnerability in Sourcetree for Windows from version 0.5a before version 3.0.10 via URI handling. A remote attacker could send a malicious URI to a victim using Sourcetree for Windows to exploit this issue to gain code execution on the system.
- CVE-2018-20241Feb 20, 2019risk 0.00cvss —epss 0.01
The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the wbuser parameter.
- CVE-2018-20240Feb 20, 2019risk 0.00cvss —epss 0.01
The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter.
- CVE-2018-13404Feb 13, 2019risk 0.00cvss —epss 0.01
The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before…
- CVE-2018-20237Feb 13, 2019risk 0.00cvss —epss 0.02
Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature.
- CVE-2018-13403Feb 13, 2019risk 0.00cvss —epss 0.01
The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS)…
- CVE-2018-20232Feb 13, 2019risk 0.00cvss —epss 0.01
The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location…
- CVE-2018-20238Feb 13, 2019risk 0.00cvss —epss 0.02
Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability.
- CVE-2016-10740Jan 29, 2019risk 0.00cvss —epss 0.01
Various resources in Atlassian Crowd before version 2.10.1 allow remote attackers with administration rights to learn the passwords of configured LDAP directories by examining the responses to requests for these resources.
- CVE-2018-20233Jan 18, 2019risk 0.00cvss —epss 0.02
The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the…
- CVE-2018-13396Nov 5, 2018risk 0.00cvss —epss 0.02
There was an argument injection vulnerability in Sourcetree for macOS from version 1.0b2 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this…
- CVE-2018-13397Nov 5, 2018risk 0.00cvss —epss 0.02
There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to…
- CVE-2018-13402Oct 23, 2018risk 0.00cvss —epss 0.01
Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version…
- CVE-2018-13400Oct 23, 2018risk 0.00cvss —epss 0.01
Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version…
- CVE-2018-13401Oct 23, 2018risk 0.00cvss —epss 0.01
The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3,…
- CVE-2018-13399Oct 16, 2018risk 0.00cvss —epss 0.00
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
Page 9 of 10