Filtered by vendor Atlassian
Subscriptions
Total
433 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2017-14592 | 1 Atlassian | 1 Sourcetree | 2020-05-11 | N/A |
Sourcetree for macOS had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. From version 1.4.0 of Sourcetree for macOS, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler. Versions of Sourcetree for macOS starting with 1.0b2 before version 2.7.0 are affected by this vulnerability. | ||||
CVE-2018-13385 | 1 Atlassian | 1 Sourcetree | 2020-05-11 | N/A |
There was an argument injection vulnerability in Sourcetree for macOS via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for macOS from 1.0b2 before 2.7.6 are affected by this vulnerability. | ||||
CVE-2018-13396 | 1 Atlassian | 1 Sourcetree | 2020-05-11 | N/A |
There was an argument injection vulnerability in Sourcetree for macOS from version 1.0b2 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. | ||||
CVE-2020-9344 | 1 Atlassian | 1 Subversion Application Lifecycle Management | 2020-03-23 | 6.1 Medium |
Subversion ALM for the enterprise before 8.8.2 allows reflected XSS at multiple locations. | ||||
CVE-2012-1500 | 1 Atlassian | 2 Greenhopper, Jira | 2020-02-24 | 5.4 Medium |
Stored XSS vulnerability in UpdateFieldJson.jspa in JIRA 4.4.3 and GreenHopper before 5.9.8 allows an attacker to inject arbitrary script code. | ||||
CVE-2019-15011 | 1 Atlassian | 1 Application Links | 2019-12-30 | 4.3 Medium |
The ListEntityLinksServlet resource in Application Links before version 5.0.12, from version 5.1.0 before version 5.2.11, from version 5.3.0 before version 5.3.7, from version 5.4.0 before 5.4.13, and from version 6.0.0 before 6.0.5 disclosed application link information to non-admin users via a missing permissions check. | ||||
CVE-2017-18107 | 1 Atlassian | 1 Crowd | 2019-12-27 | 6.5 Medium |
Various resources in the Crowd Demo application of Atlassian Crowd before version 3.1.1 allow remote attackers to modify add, modify and delete users & groups via a Cross-site request forgery (CSRF) vulnerability. Please be aware that the Demo application is not enabled by default. | ||||
CVE-2019-15007 | 1 Atlassian | 2 Crucible, Fisheye | 2019-12-12 | 4.8 Medium |
The review resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch. | ||||
CVE-2019-15008 | 1 Atlassian | 2 Crucible, Fisheye | 2019-12-12 | 6.1 Medium |
The /plugins/servlet/branchreview resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the reviewedBranch parameter. | ||||
CVE-2019-15005 | 1 Atlassian | 8 Bamboo, Bitbucket, Confluence and 5 more | 2019-11-14 | 4.3 Medium |
The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2. | ||||
CVE-2019-14994 | 1 Atlassian | 1 Jira Service Desk | 2019-11-14 | 7.5 High |
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before version 4.3.4, and version 4.4.0 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. Note that when the 'Anyone can email the service desk or raise a request in the portal' setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability. | ||||
CVE-2019-15004 | 1 Atlassian | 1 Jira Service Desk | 2019-11-13 | 7.5 High |
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. Note that when the 'Anyone can email the service desk or raise a request in the portal' setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability. | ||||
CVE-2017-9513 | 1 Atlassian | 1 Activity Streams | 2019-10-09 | N/A |
Several rest inline action resources of Atlassian Activity Streams before version 6.3.0 allows remote authenticated attackers to watch any Confluence page & receive notifications when comments are added to the watched page, and vote & watch JIRA issues that they do not have access to, although they will not receive notifications for the issue, via missing permission checks. | ||||
CVE-2017-18095 | 1 Atlassian | 1 Crucible | 2019-10-09 | N/A |
The SnippetRPCServiceImpl class in Atlassian Crucible before version 4.5.1 (the fixed version 4.5.x) and before 4.6.0 allows remote attackers to comment on snippets they do not have authorization to access via an improper authorization vulnerability. | ||||
CVE-2017-18036 | 1 Atlassian | 1 Bitbucket | 2019-10-09 | N/A |
The Github repository importer in Atlassian Bitbucket Server before version 5.3.0 allows remote attackers to determine if a service they could not otherwise reach has open ports via a Server Side Request Forgery (SSRF) vulnerability. | ||||
CVE-2017-18035 | 1 Atlassian | 2 Crucible, Fisheye | 2019-10-09 | N/A |
The /rest/review-coverage-chart/1.0/data/<repository_name>/.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistics for it. | ||||
CVE-2017-16858 | 1 Atlassian | 1 Crowd | 2019-10-09 | N/A |
The 'crowd-application' plugin module (notably used by the Google Apps plugin) in Atlassian Crowd from version 1.5.0 before version 3.1.2 allowed an attacker to impersonate a Crowd user in REST requests by being able to authenticate to a directory bound to an application using the feature. Given the following situation: the Crowd application is bound to directory 1 and has a user called admin and the Google Apps application is bound to directory 2, which also has a user called admin, it was possible to authenticate REST requests using the credentials of the user coming from directory 2 and impersonate the user from directory 1. | ||||
CVE-2017-16857 | 1 Atlassian | 1 Bitbucket Auto Unapprove Plugin | 2019-10-03 | N/A |
It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end. This allows an attacker to merge any code into unsuspecting repositories. This affects all versions of the auto-unapprove plugin, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket. | ||||
CVE-2017-9514 | 1 Atlassian | 1 Bamboo | 2019-10-03 | N/A |
Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo. | ||||
CVE-2018-13390 | 1 Atlassian | 1 Cloudtoken | 2019-10-03 | N/A |
Unauthenticated access to cloudtoken daemon on Linux via network from version 0.1.1 before version 0.1.24 allows attackers on the same subnet to gain temporary AWS credentials for the users' roles. |