Filtered by vendor Atlassian
Subscribe
Total
467 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11582 | 1 Atlassian | 1 Sourcetree | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
|
An argument injection vulnerability in Atlassian Sourcetree for Windows's URI handlers, in all versions prior to 3.1.3, allows remote attackers to gain remote code execution through the use of a crafted URI.
|
|||||
| CVE-2018-5232 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuetype parameter.
|
|||||
| CVE-2018-5231 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The ForgotLoginDetails resource in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to perform a denial of service attack via sending requests to it.
|
|||||
| CVE-2018-5230 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the error message of custom fields when an invalid value is specified.
|
|||||
| CVE-2018-5229 | 1 Atlassian | 1 Universal Plugin Manager | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The NotificationRepresentationFactoryImpl class in Atlassian Universal Plugin Manager before version 2.22.9 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of user submitted add-on names.
|
|||||
| CVE-2018-5228 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The /browse/~raw resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the handling of response headers.
|
|||||
| CVE-2018-5227 | 1 Atlassian | 1 Application Links | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Various administrative application link resources in Atlassian Application Links before version 5.4.4 allow remote attackers with administration rights to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the display url of a configured application link.
|
|||||
| CVE-2018-5226 | 1 Atlassian | 1 Sourcetree | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
There was an argument injection vulnerability in Sourcetree for Windows via Mercurial repository tag name that is going to be deleted. An attacker with permission to create a tag on a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. All versions of Sourcetree for Windows before 2.5.5.0 are affected by this vulnerability.
|
|||||
| CVE-2018-5225 | 1 Atlassian | 1 Bitbucket | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
|
In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13.0 through 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x), and 5.8.0 before 5.8.2 (the fixed version for 5.8.x), allows authenticated users to gain remote code execution using the in browser editing feature via editing a symbolic link within a repository.
|
|||||
| CVE-2018-5224 | 2 Atlassian, Microsoft | 2 Bamboo, Windows | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked Mercurial repository, or create a plan in Bamboo either globally or in a project using Bamboo Specs can can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system. All ...
Show More |
|||||
| CVE-2018-5223 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
Fisheye and Crucible did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to add a repository in Fisheye or Crucible can execute code of their choice on systems that run a vulnerable version of Fisheye or Crucible on the Windows operating system. All versions of Fisheye and Crucible before 4.4.6 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.3 (the fixed versio ...
Show More |
|||||
| CVE-2018-20827 | 1 Atlassian | 1 Jira | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter.
|
|||||
| CVE-2018-20826 | 1 Atlassian | 1 Jira | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check.
|
|||||
| CVE-2018-20824 | 1 Atlassian | 1 Jira | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter.
|
|||||
| CVE-2018-20241 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the wbuser parameter.
|
|||||
| CVE-2018-20240 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter.
|
|||||
| CVE-2018-20239 | 1 Atlassian | 8 Application Links, Confluence Data Center, Confluence Server and 5 more | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before v ...
Show More |
|||||
| CVE-2018-20238 | 1 Atlassian | 1 Crowd | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability.
|
|||||
| CVE-2018-20237 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature.
|
|||||
| CVE-2018-20236 | 1 Atlassian | 1 Sourcetree | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
|
There was an command injection vulnerability in Sourcetree for Windows from version 0.5a before version 3.0.10 via URI handling. A remote attacker could send a malicious URI to a victim using Sourcetree for Windows to exploit this issue to gain code execution on the system.
|
|||||
| CVE-2018-20235 | 1 Atlassian | 1 Sourcetree | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
There was an argument injection vulnerability in Atlassian Sourcetree for Windows from version 0.5a before version 3.0.15 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.
|
|||||
| CVE-2018-20234 | 1 Atlassian | 1 Sourcetree | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
There was an argument injection vulnerability in Atlassian Sourcetree for macOS from version 1.2 before version 3.1.1 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system.
|
|||||
| CVE-2018-20233 | 1 Atlassian | 1 Universal Plugin Manager | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
The Upload add-on resource in Atlassian Universal Plugin Manager before version 2.22.14 allows remote attackers who have system administrator privileges to read files, make network requests and perform a denial of service attack via an XML External Entity vulnerability in the parsing of atlassian plugin xml files in an uploaded JAR.
|
|||||
| CVE-2018-20232 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting.
|
|||||
| CVE-2018-13404 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 4.0 MEDIUM | 4.1 MEDIUM |
|
The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.13.0 before version 7.13.1 allows remote attackers who have administrator rights to determine the existence of internal hosts & open ports and in som ...
Show More |
|||||
| CVE-2018-13403 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a saved filter when displayed on a Jira dashboard.
|
|||||
| CVE-2018-13402 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability.
|
|||||
| CVE-2018-13401 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allows remote attackers to obtain a user's Cross-site request forgery (CSRF) token through an open redirect vulnerability.
|
|||||
| CVE-2018-13400 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 6.5 MEDIUM | 4.7 MEDIUM |
|
Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers who have obtained access to administrator's session to access certain administrative resources without needing to re-authentic ...
Show More |
|||||
| CVE-2018-13399 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
|
|||||
| CVE-2018-13398 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery (CSRF) vulnerability.
|
|||||
| CVE-2018-13397 | 1 Atlassian | 1 Sourcetree | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.
|
|||||
| CVE-2018-13396 | 1 Atlassian | 1 Sourcetree | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
There was an argument injection vulnerability in Sourcetree for macOS from version 1.0b2 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system.
|
|||||
| CVE-2018-13395 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved.
|
|||||
| CVE-2018-13394 | 1 Atlassian | 1 Questions For Confluence | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The acceptAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery (CSRF) vulnerability.
|
|||||
| CVE-2018-13393 | 1 Atlassian | 1 Questions For Confluence | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The convertCommentToAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery (CSRF) vulnerability.
|
|||||
| CVE-2018-13392 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Several resources in Atlassian Fisheye and Crucible before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in linked issue keys.
|
|||||
| CVE-2018-13391 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote attackers who can access & view an issue to obtain the email address of the reporter and assignee user of an issue despite the configured email visibility setting being set to hidden.
|
|||||
| CVE-2018-13390 | 1 Atlassian | 1 Cloudtoken | 2024-11-21 | 4.8 MEDIUM | 6.1 MEDIUM |
|
Unauthenticated access to cloudtoken daemon on Linux via network from version 0.1.1 before version 0.1.24 allows attackers on the same subnet to gain temporary AWS credentials for the users' roles.
|
|||||
| CVE-2018-13389 | 1 Atlassian | 1 Confluence | 2024-11-21 | 4.3 MEDIUM | 4.7 MEDIUM |
|
The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of application/rdf+xml.
|
|||||