Filtered by vendor Atlassian
Subscribe
Total
413 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-3401 | 1 Atlassian | 2 Jira, Jira Server | 2022-03-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. | |||||
| CVE-2019-8447 | 1 Atlassian | 1 Jira Server | 2022-03-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability. | |||||
| CVE-2019-11589 | 1 Atlassian | 1 Jira Server | 2022-03-25 | 5.8 MEDIUM | 6.1 MEDIUM |
| The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability. | |||||
| CVE-2019-15013 | 1 Atlassian | 2 Jira, Jira Server | 2022-03-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorisation check. | |||||
| CVE-2019-11585 | 1 Atlassian | 2 Jira, Jira Server | 2022-03-25 | 5.8 MEDIUM | 6.1 MEDIUM |
| The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect. | |||||
| CVE-2019-14996 | 1 Atlassian | 1 Jira Server | 2022-03-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter. | |||||
| CVE-2019-11586 | 1 Atlassian | 2 Jira, Jira Server | 2022-03-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability. | |||||
| CVE-2019-11587 | 1 Atlassian | 2 Jira, Jira Server | 2022-03-25 | 4.3 MEDIUM | 6.5 MEDIUM |
| Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF). | |||||
| CVE-2019-11588 | 1 Atlassian | 2 Jira, Jira Server | 2022-03-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability. | |||||
| CVE-2019-8445 | 1 Atlassian | 1 Jira Server | 2022-03-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check. | |||||
| CVE-2019-8450 | 1 Atlassian | 1 Jira Server | 2022-03-25 | 3.5 LOW | 4.8 MEDIUM |
| Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a custom field. | |||||
| CVE-2021-43955 | 1 Atlassian | 2 Crucible, Fisheye | 2022-03-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| The /rest-service-fecru/server-v1 resource in Fisheye and Crucible before version 4.8.9 allowed authenticated remote attackers to obtain information about installation directories via information disclosure vulnerability. | |||||
| CVE-2021-43958 | 1 Atlassian | 2 Crucible, Fisheye | 2022-03-22 | 7.5 HIGH | 9.8 CRITICAL |
| Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability. | |||||
| CVE-2021-43956 | 1 Atlassian | 2 Crucible, Fisheye | 2022-03-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability. | |||||
| CVE-2021-43957 | 1 Atlassian | 2 Crucible, Fisheye | 2022-03-22 | 5.0 MEDIUM | 7.5 HIGH |
| Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-29446 due to a lack of url decoding. The affected versions are before version 4.8.9. | |||||
| CVE-2021-43954 | 1 Atlassian | 2 Crucible, Fisheye | 2022-03-18 | 4.0 MEDIUM | 4.3 MEDIUM |
| The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability. | |||||
| CVE-2021-43945 | 1 Atlassian | 2 Data Center, Jira | 2022-03-08 | 3.5 LOW | 4.8 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3. | |||||
| CVE-2021-43943 | 1 Atlassian | 1 Jira Service Management | 2022-03-07 | 3.5 LOW | 4.8 MEDIUM |
| Affected versions of Atlassian Jira Service Management Server and Data Center allow attackers with administrator privileges to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the "Object Schema" field of /secure/admin/InsightDefaultCustomFieldConfig.jspa. The affected versions are before version 4.21.0. | |||||
| CVE-2021-43951 | 1 Atlassian | 1 Jira Service Management | 2022-03-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view object import configuration details via an Information Disclosure vulnerability in the Create Object type mapping feature. The affected versions are before version 4.21.0. | |||||
| CVE-2021-43949 | 1 Atlassian | 1 Jira Service Management | 2022-03-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view private objects via a Broken Access Control vulnerability in the Custom Fields feature. The affected versions are before version 4.21.0. | |||||