Filtered by vendor Atlassian
Subscribe
Total
449 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-18107 | 1 Atlassian | 1 Crowd | 2019-12-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| Various resources in the Crowd Demo application of Atlassian Crowd before version 3.1.1 allow remote attackers to modify add, modify and delete users & groups via a Cross-site request forgery (CSRF) vulnerability. Please be aware that the Demo application is not enabled by default. | |||||
| CVE-2019-15007 | 1 Atlassian | 2 Crucible, Fisheye | 2019-12-12 | 3.5 LOW | 4.8 MEDIUM |
| The review resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch. | |||||
| CVE-2019-15008 | 1 Atlassian | 2 Crucible, Fisheye | 2019-12-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| The /plugins/servlet/branchreview resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the reviewedBranch parameter. | |||||
| CVE-2019-15005 | 1 Atlassian | 8 Bamboo, Bitbucket, Confluence and 5 more | 2019-11-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2. | |||||
| CVE-2019-14994 | 1 Atlassian | 1 Jira Service Desk | 2019-11-14 | 4.3 MEDIUM | 7.5 HIGH |
| The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before version 4.3.4, and version 4.4.0 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. Note that when the 'Anyone can email the service desk or raise a request in the portal' setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability. | |||||
| CVE-2019-15004 | 1 Atlassian | 1 Jira Service Desk | 2019-11-13 | 4.3 MEDIUM | 7.5 HIGH |
| The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. Note that when the 'Anyone can email the service desk or raise a request in the portal' setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability. | |||||
| CVE-2017-9513 | 1 Atlassian | 1 Activity Streams | 2019-10-09 | 5.5 MEDIUM | 5.4 MEDIUM |
| Several rest inline action resources of Atlassian Activity Streams before version 6.3.0 allows remote authenticated attackers to watch any Confluence page & receive notifications when comments are added to the watched page, and vote & watch JIRA issues that they do not have access to, although they will not receive notifications for the issue, via missing permission checks. | |||||
| CVE-2017-18095 | 1 Atlassian | 1 Crucible | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| The SnippetRPCServiceImpl class in Atlassian Crucible before version 4.5.1 (the fixed version 4.5.x) and before 4.6.0 allows remote attackers to comment on snippets they do not have authorization to access via an improper authorization vulnerability. | |||||
| CVE-2017-18035 | 1 Atlassian | 2 Crucible, Fisheye | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| The /rest/review-coverage-chart/1.0/data/<repository_name>/.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistics for it. | |||||
| CVE-2017-16858 | 1 Atlassian | 1 Crowd | 2019-10-09 | 4.9 MEDIUM | 6.8 MEDIUM |
| The 'crowd-application' plugin module (notably used by the Google Apps plugin) in Atlassian Crowd from version 1.5.0 before version 3.1.2 allowed an attacker to impersonate a Crowd user in REST requests by being able to authenticate to a directory bound to an application using the feature. Given the following situation: the Crowd application is bound to directory 1 and has a user called admin and the Google Apps application is bound to directory 2, which also has a user called admin, it was possible to authenticate REST requests using the credentials of the user coming from directory 2 and impersonate the user from directory 1. | |||||
| CVE-2017-18036 | 1 Atlassian | 1 Bitbucket | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Github repository importer in Atlassian Bitbucket Server before version 5.3.0 allows remote attackers to determine if a service they could not otherwise reach has open ports via a Server Side Request Forgery (SSRF) vulnerability. | |||||
| CVE-2017-18087 | 1 Atlassian | 1 Bitbucket | 2019-10-03 | 6.0 MEDIUM | 7.5 HIGH |
| The download commit resource in Atlassian Bitbucket Server from version 5.1.0 before version 5.1.7, from version 5.2.0 before version 5.2.5, from version 5.3.0 before version 5.3.3 and from version 5.4.0 before version 5.4.1 allows remote attackers to write files to disk potentially allowing them to gain code execution, exploit CVE-2017-1000117 if a vulnerable version of git is in use, and or determine if an internal service exists via an argument injection vulnerability in the at parameter. | |||||
| CVE-2018-5226 | 1 Atlassian | 1 Sourcetree | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| There was an argument injection vulnerability in Sourcetree for Windows via Mercurial repository tag name that is going to be deleted. An attacker with permission to create a tag on a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. All versions of Sourcetree for Windows before 2.5.5.0 are affected by this vulnerability. | |||||
| CVE-2018-20236 | 1 Atlassian | 1 Sourcetree | 2019-10-03 | 9.3 HIGH | 8.8 HIGH |
| There was an command injection vulnerability in Sourcetree for Windows from version 0.5a before version 3.0.10 via URI handling. A remote attacker could send a malicious URI to a victim using Sourcetree for Windows to exploit this issue to gain code execution on the system. | |||||
| CVE-2017-14593 | 1 Atlassian | 1 Sourcetree | 2019-10-03 | 9.0 HIGH | 8.8 HIGH |
| Sourcetree for Windows had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. From version 0.8.4b of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler. Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability | |||||
| CVE-2017-8080 | 1 Atlassian | 1 Hipchat Server | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| Atlassian Hipchat Server before 2.2.4 allows remote authenticated users with user level privileges to execute arbitrary code via vectors involving image uploads. | |||||
| CVE-2018-13399 | 1 Atlassian | 2 Crucible, Fisheye | 2019-10-03 | 4.6 MEDIUM | 7.8 HIGH |
| The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory. | |||||
| CVE-2017-16857 | 1 Atlassian | 1 Bitbucket Auto Unapprove Plugin | 2019-10-03 | 6.0 MEDIUM | 8.5 HIGH |
| It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end. This allows an attacker to merge any code into unsuspecting repositories. This affects all versions of the auto-unapprove plugin, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket. | |||||
| CVE-2018-13390 | 1 Atlassian | 1 Cloudtoken | 2019-10-03 | 4.8 MEDIUM | 6.1 MEDIUM |
| Unauthenticated access to cloudtoken daemon on Linux via network from version 0.1.1 before version 0.1.24 allows attackers on the same subnet to gain temporary AWS credentials for the users' roles. | |||||
| CVE-2018-20235 | 1 Atlassian | 1 Sourcetree | 2019-10-03 | 9.0 HIGH | 8.8 HIGH |
| There was an argument injection vulnerability in Atlassian Sourcetree for Windows from version 0.5a before version 3.0.15 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. | |||||