Filtered by vendor Atlassian
Subscribe
Total
413 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-18111 | 1 Atlassian | 1 Application Links | 2019-04-01 | 5.5 MEDIUM | 8.7 HIGH |
| The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. This allowed malicious oauth application linked applications to probe internal network resources by requesting internal locations, read the contents of files and also cause an out of memory exception affecting availability via an XML External Entity vulnerability. | |||||
| CVE-2017-18105 | 1 Atlassian | 1 Crowd | 2019-04-01 | 6.8 MEDIUM | 8.1 HIGH |
| The console login resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers, who have previously obtained a user's JSESSIONID cookie, to gain access to some of the built-in and potentially third party rest resources via a session fixation vulnerability. | |||||
| CVE-2017-18106 | 1 Atlassian | 1 Crowd | 2019-04-01 | 6.0 MEDIUM | 7.5 HIGH |
| The identifier_hash for a session token in Atlassian Crowd before version 2.9.1 could potentially collide with an identifier_hash for another user or a user in a different directory, this allows remote attackers who can authenticate to Crowd or an application using Crowd for authentication to gain access to another user's session provided they can make their identifier hash collide with another user's session identifier hash. | |||||
| CVE-2017-18108 | 1 Atlassian | 1 Crowd | 2019-04-01 | 6.5 MEDIUM | 7.2 HIGH |
| The administration SMTP configuration resource in Atlassian Crowd before version 2.10.2 allows remote attackers with administration rights to execute arbitrary code via a JNDI injection. | |||||
| CVE-2017-18110 | 1 Atlassian | 1 Crowd | 2019-04-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability. | |||||
| CVE-2017-18109 | 1 Atlassian | 1 Crowd | 2019-04-01 | 5.8 MEDIUM | 6.1 MEDIUM |
| The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect. | |||||
| CVE-2018-20240 | 1 Atlassian | 2 Crucible, Fisheye | 2019-02-26 | 3.5 LOW | 4.8 MEDIUM |
| The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter. | |||||
| CVE-2018-20241 | 1 Atlassian | 2 Crucible, Fisheye | 2019-02-26 | 3.5 LOW | 5.4 MEDIUM |
| The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the wbuser parameter. | |||||
| CVE-2018-20238 | 1 Atlassian | 1 Crowd | 2019-02-26 | 5.5 MEDIUM | 8.1 HIGH |
| Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability. | |||||
| CVE-2018-20233 | 1 Atlassian | 1 Universal Plugin Manager | 2019-02-06 | 5.5 MEDIUM | 6.5 MEDIUM |
| The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR. | |||||
| CVE-2016-10740 | 1 Atlassian | 1 Crowd | 2019-01-31 | 4.0 MEDIUM | 4.9 MEDIUM |
| Various resources in Atlassian Crowd before version 2.10.1 allow remote attackers with administration rights to learn the passwords of configured LDAP directories by examining the responses to requests for these resources. | |||||
| CVE-2018-1000422 | 1 Atlassian | 1 Crowd2 | 2019-01-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| An improper authorization vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java that allows attackers to have Jenkins perform a connection test, connecting to an attacker-specified server with attacker-specified credentials and connection settings. | |||||
| CVE-2018-13398 | 1 Atlassian | 2 Crucible, Fisheye | 2018-12-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery (CSRF) vulnerability. | |||||
| CVE-2017-18040 | 1 Atlassian | 1 Bamboo | 2018-10-17 | 3.5 LOW | 5.4 MEDIUM |
| The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release. | |||||
| CVE-2018-13394 | 1 Atlassian | 1 Questions For Confluence | 2018-10-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| The acceptAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery (CSRF) vulnerability. | |||||
| CVE-2018-13393 | 1 Atlassian | 1 Questions For Confluence | 2018-10-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| The convertCommentToAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery (CSRF) vulnerability. | |||||
| CVE-2016-4320 | 1 Atlassian | 1 Bitbucket | 2018-10-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| Atlassian Bitbucket Server before 4.7.1 allows remote attackers to read the first line of an arbitrary file via a directory traversal attack on the pull requests resource. | |||||
| CVE-2018-13392 | 1 Atlassian | 2 Crucible, Fisheye | 2018-10-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Several resources in Atlassian Fisheye and Crucible before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in linked issue keys. | |||||
| CVE-2017-7357 | 1 Atlassian | 1 Hipchat Server | 2018-10-09 | 6.5 MEDIUM | 9.1 CRITICAL |
| Hipchat Server before 2.2.3 allows remote authenticated users with Server Administrator level privileges to execute arbitrary code by importing a file. | |||||
| CVE-2016-6496 | 1 Atlassian | 1 Crowd | 2018-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| The LDAP directory connector in Atlassian Crowd before 2.8.8 and 2.9.x before 2.9.5 allows remote attackers to execute arbitrary code via an LDAP attribute with a crafted serialized Java object, aka LDAP entry poisoning. | |||||