VYPR

Vendor CVEs

Atlassian

All CVEs

471 total · sorted by risk
  • CVE-2019-14997Sep 11, 2019
    risk 0.00cvss epss 0.01

    The AccessLogFilter class in Jira before version 8.4.0 allows remote anonymous attackers to learn details about other users, including their username, via an information expose through caching vulnerability when Jira is configured with a reverse Proxy and or a load balancer with…

  • CVE-2019-14996Sep 11, 2019
    risk 0.00cvss epss 0.01

    The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter.

  • CVE-2019-14995Sep 11, 2019
    risk 0.00cvss epss 0.03

    The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to determine if an attachment with a specific name exists and if an issue key is valid via a missing permissions check.

  • CVE-2019-8447Aug 23, 2019
    risk 0.00cvss epss 0.01

    The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability.

  • CVE-2019-8445Aug 23, 2019
    risk 0.00cvss epss 0.03

    Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check.

  • CVE-2019-8444Aug 23, 2019
    risk 0.00cvss epss 0.01

    The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification.

  • CVE-2019-14999Aug 23, 2019
    risk 0.00cvss epss 0.01

    The Uninstall REST endpoint in Atlassian Universal Plugin Manager before version 2.22.19, from version 3.0.0 before version 3.0.3 and from version 4.0.0 before version 4.0.3 allows remote attackers to uninstall plugins using a Cross-Site Request Forgery (CSRF) vulnerability on…

  • CVE-2019-11589Aug 23, 2019
    risk 0.00cvss epss 0.01

    The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via…

  • CVE-2019-11588Aug 23, 2019
    risk 0.00cvss epss 0.01

    The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability.

  • CVE-2019-11587Aug 23, 2019
    risk 0.00cvss epss 0.01

    Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF).

  • CVE-2019-11586Aug 23, 2019
    risk 0.00cvss epss 0.01

    The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability.

  • CVE-2019-11585Aug 23, 2019
    risk 0.00cvss epss 0.01

    The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open…

  • CVE-2019-11584Aug 23, 2019
    risk 0.00cvss epss 0.01

    The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the priority icon url of an issue priority.

  • CVE-2019-15233Aug 20, 2019
    risk 0.00cvss epss 0.01

    The Live:Text Box macro in the Old Street Live Input Macros app before 2.11 for Confluence has XSS, leading to theft of the Administrator Session Cookie.

  • CVE-2019-15053Aug 14, 2019
    risk 0.00cvss epss 0.01

    The "HTML Include and replace macro" plugin before 1.5.0 for Confluence Server allows a bypass of the includeScripts=false XSS protection mechanism via vectors involving an IFRAME element.

  • CVE-2019-8448Aug 13, 2019
    risk 0.00cvss epss 0.02

    The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability.

  • CVE-2018-20826Aug 9, 2019
    risk 0.00cvss epss 0.01

    The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check.

  • CVE-2018-20827Aug 9, 2019
    risk 0.00cvss epss 0.01

    The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter.

  • CVE-2019-11583Jun 26, 2019
    risk 0.00cvss epss 0.01

    The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by "Epic Name".

  • CVE-2019-11582Jun 14, 2019
    risk 0.00cvss epss 0.05

    An argument injection vulnerability in Atlassian Sourcetree for Windows's URI handlers, in all versions prior to 3.1.3, allows remote attackers to gain remote code execution through the use of a crafted URI.

  • CVE-2019-3397Jun 3, 2019
    risk 0.00cvss epss 0.05

    Atlassian Bitbucket Data Center licensed instances starting with version 5.13.0 before 5.13.6 (the fixed version for 5.13.x), from 5.14.0 before 5.14.4 (fixed version for 5.14.x), from 5.15.0 before 5.15.3 (fixed version for 5.15.x), from 5.16.0 before 5.16.3 (fixed version for…

  • CVE-2019-8443May 22, 2019
    risk 0.00cvss epss 0.03

    The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without…

  • CVE-2019-3400May 3, 2019
    risk 0.00cvss epss 0.01

    The labels gadget in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jql parameter.

  • CVE-2019-3399Apr 30, 2019
    risk 0.00cvss epss 0.02

    The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check.

  • CVE-2018-20239Apr 30, 2019
    risk 0.00cvss epss 0.03

    Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS)…

  • CVE-2017-18111Mar 29, 2019
    risk 0.00cvss epss 0.02

    The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. This allowed malicious oauth…

  • CVE-2017-18110Mar 29, 2019
    risk 0.00cvss epss 0.01

    The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability.

  • CVE-2017-18109Mar 29, 2019
    risk 0.00cvss epss 0.01

    The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect.

  • CVE-2017-18108Mar 29, 2019
    risk 0.00cvss epss 0.02

    The administration SMTP configuration resource in Atlassian Crowd before version 2.10.2 allows remote attackers with administration rights to execute arbitrary code via a JNDI injection.

  • CVE-2017-18106Mar 29, 2019
    risk 0.00cvss epss 0.01

    The identifier_hash for a session token in Atlassian Crowd before version 2.9.1 could potentially collide with an identifier_hash for another user or a user in a different directory, this allows remote attackers who can authenticate to Crowd or an application using Crowd for…

  • CVE-2017-18105Mar 29, 2019
    risk 0.00cvss epss 0.01

    The console login resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers, who have previously obtained a user's JSESSIONID cookie, to gain access to some of the built-in and potentially third party rest resources via…

  • CVE-2018-19498Mar 17, 2019
    risk 0.00cvss epss 0.02

    The Simplenia Pages plugin 2.6.0 for Atlassian Bitbucket Server has XSS.

  • CVE-2018-20234Mar 8, 2019
    risk 0.00cvss epss 0.06

    There was an argument injection vulnerability in Atlassian Sourcetree for macOS from version 1.2 before version 3.1.1 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit…

  • CVE-2018-20235Mar 8, 2019
    risk 0.00cvss epss 0.07

    There was an argument injection vulnerability in Atlassian Sourcetree for Windows from version 0.5a before version 3.0.15 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to…

  • CVE-2018-20236Mar 8, 2019
    risk 0.00cvss epss 0.06

    There was an command injection vulnerability in Sourcetree for Windows from version 0.5a before version 3.0.10 via URI handling. A remote attacker could send a malicious URI to a victim using Sourcetree for Windows to exploit this issue to gain code execution on the system.

  • CVE-2018-20241Feb 20, 2019
    risk 0.00cvss epss 0.01

    The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the wbuser parameter.

  • CVE-2018-20240Feb 20, 2019
    risk 0.00cvss epss 0.01

    The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter.

  • CVE-2018-13404Feb 13, 2019
    risk 0.00cvss epss 0.01

    The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before…

  • CVE-2018-20237Feb 13, 2019
    risk 0.00cvss epss 0.02

    Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature.

  • CVE-2018-13403Feb 13, 2019
    risk 0.00cvss epss 0.01

    The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS)…

  • CVE-2018-20232Feb 13, 2019
    risk 0.00cvss epss 0.01

    The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location…

  • CVE-2018-20238Feb 13, 2019
    risk 0.00cvss epss 0.02

    Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability.

  • CVE-2016-10740Jan 29, 2019
    risk 0.00cvss epss 0.01

    Various resources in Atlassian Crowd before version 2.10.1 allow remote attackers with administration rights to learn the passwords of configured LDAP directories by examining the responses to requests for these resources.

  • CVE-2018-20233Jan 18, 2019
    risk 0.00cvss epss 0.02

    The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the…

  • CVE-2018-13396Nov 5, 2018
    risk 0.00cvss epss 0.02

    There was an argument injection vulnerability in Sourcetree for macOS from version 1.0b2 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this…

  • CVE-2018-13397Nov 5, 2018
    risk 0.00cvss epss 0.02

    There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to…

  • CVE-2018-13402Oct 23, 2018
    risk 0.00cvss epss 0.01

    Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version…

  • CVE-2018-13400Oct 23, 2018
    risk 0.00cvss epss 0.01

    Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version…

  • CVE-2018-13401Oct 23, 2018
    risk 0.00cvss epss 0.01

    The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3,…

  • CVE-2018-13399Oct 16, 2018
    risk 0.00cvss epss 0.00

    The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.

Page 9 of 10