Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2017-14588

Summary
Assigner-atlassian
Assigner Org ID-f08a6ab8-ed46-4c22-8884-d911ccfe3c66
Published At-11 Oct, 2017 | 18:00
Updated At-15 Oct, 2024 | 19:14
Rejected At-
Credits

Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:atlassian
Assigner Org ID:f08a6ab8-ed46-4c22-8884-d911ccfe3c66
Published At:11 Oct, 2017 | 18:00
Updated At:15 Oct, 2024 | 19:14
Rejected At:
▼CVE Numbering Authority (CNA)

Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter.

Affected Products
Vendor
AtlassianAtlassian
Product
Atlassian Fisheye and Crucible
Versions
Affected
  • All versions prior to version 4.4.2
Problem Types
TypeCWE IDDescription
textN/ACross Site Scripting (XSS)
Type: text
CWE ID: N/A
Description: Cross Site Scripting (XSS)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.securityfocus.com/bid/101268
vdb-entry
x_refsource_BID
https://jira.atlassian.com/browse/FE-6935
x_refsource_MISC
https://jira.atlassian.com/browse/CRUC-8113
x_refsource_MISC
Hyperlink: http://www.securityfocus.com/bid/101268
Resource:
vdb-entry
x_refsource_BID
Hyperlink: https://jira.atlassian.com/browse/FE-6935
Resource:
x_refsource_MISC
Hyperlink: https://jira.atlassian.com/browse/CRUC-8113
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.securityfocus.com/bid/101268
vdb-entry
x_refsource_BID
x_transferred
https://jira.atlassian.com/browse/FE-6935
x_refsource_MISC
x_transferred
https://jira.atlassian.com/browse/CRUC-8113
x_refsource_MISC
x_transferred
Hyperlink: http://www.securityfocus.com/bid/101268
Resource:
vdb-entry
x_refsource_BID
x_transferred
Hyperlink: https://jira.atlassian.com/browse/FE-6935
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://jira.atlassian.com/browse/CRUC-8113
Resource:
x_refsource_MISC
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@atlassian.com
Published At:11 Oct, 2017 | 18:29
Updated At:20 Apr, 2025 | 01:37

Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.06.1MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Type: Primary
Version: 3.0
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 2.0
Base score: 4.3
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CPE Matches
Atlassian
atlassian
>>crucible>>Versions up to 4.4.1(inclusive)
cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*
Atlassian
atlassian
>>fisheye>>Versions up to 4.4.1(inclusive)
cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://www.securityfocus.com/bid/101268security@atlassian.com
Third Party Advisory
VDB Entry
https://jira.atlassian.com/browse/CRUC-8113security@atlassian.com
Issue Tracking
Vendor Advisory
https://jira.atlassian.com/browse/FE-6935security@atlassian.com
Issue Tracking
Vendor Advisory
http://www.securityfocus.com/bid/101268af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
VDB Entry
https://jira.atlassian.com/browse/CRUC-8113af854a3a-2127-422b-91ae-364da2661108
Issue Tracking
Vendor Advisory
https://jira.atlassian.com/browse/FE-6935af854a3a-2127-422b-91ae-364da2661108
Issue Tracking
Vendor Advisory
Hyperlink: http://www.securityfocus.com/bid/101268
Source: security@atlassian.com
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://jira.atlassian.com/browse/CRUC-8113
Source: security@atlassian.com
Resource:
Issue Tracking
Vendor Advisory
Hyperlink: https://jira.atlassian.com/browse/FE-6935
Source: security@atlassian.com
Resource:
Issue Tracking
Vendor Advisory
Hyperlink: http://www.securityfocus.com/bid/101268
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://jira.atlassian.com/browse/CRUC-8113
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Issue Tracking
Vendor Advisory
Hyperlink: https://jira.atlassian.com/browse/FE-6935
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Issue Tracking
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

12393Records found
CVE-2018-13402
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-6.1||MEDIUM
EPSS-0.09% / 24.91%
||
7 Day CHG~0.00%
Published-23 Oct, 2018 | 14:00
Updated-16 Sep, 2024 | 17:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjiraJira
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2018-13398
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 33.46%
||
7 Day CHG~0.00%
Published-18 Sep, 2018 | 14:00
Updated-16 Sep, 2024 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The administrative smart-commits resource in Atlassian Fisheye and Crucible before version 4.5.4 allows remote attackers to modify smart-commit settings via a Cross-site request forgery (CSRF) vulnerability.

Action-Not Available
Vendor-Atlassian
Product-fisheyecrucibleFisheye and Crucible
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-13401
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-6.1||MEDIUM
EPSS-0.09% / 24.91%
||
7 Day CHG~0.00%
Published-23 Oct, 2018 | 14:00
Updated-17 Sep, 2024 | 03:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allows remote attackers to obtain a user's Cross-site request forgery (CSRF) token through an open redirect vulnerability.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjiraJira
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2018-13393
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-6.5||MEDIUM
EPSS-0.15% / 36.18%
||
7 Day CHG~0.00%
Published-15 Aug, 2018 | 12:00
Updated-16 Sep, 2024 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The convertCommentToAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery (CSRF) vulnerability.

Action-Not Available
Vendor-Atlassian
Product-questions_for_confluenceConfluence Questions
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-43952
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 59.46%
||
7 Day CHG~0.00%
Published-15 Feb, 2022 | 00:45
Updated-04 Oct, 2024 | 18:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to restore the default configuration of fields via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/RestoreDefaults.jspa endpoint. The affected versions are before version 8.21.0.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjira_data_centerJira ServerJira Data Center
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-13394
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-6.5||MEDIUM
EPSS-0.17% / 38.29%
||
7 Day CHG~0.00%
Published-15 Aug, 2018 | 12:00
Updated-16 Sep, 2024 | 22:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The acceptAnswer resource in Atlassian Confluence Questions before version 2.6.6, the bundled version of Confluence Questions was updated to a fixed version in Confluence version 6.9.0, allows remote attackers to modify a comment into an answer via a Cross-site request forgery (CSRF) vulnerability.

Action-Not Available
Vendor-Atlassian
Product-questions_for_confluenceConfluence Questions
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-43941
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 33.51%
||
7 Day CHG~0.00%
Published-15 Feb, 2022 | 03:30
Updated-08 Oct, 2024 | 17:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify several resources (including CsvFieldMappingsPage.jspa and ImporterValueMappingsPage.jspa) via a Cross-Site Request Forgery (CSRF) vulnerability in the jira-importers-plugin. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjira_data_centerJira ServerJira Data Center
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-9506
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-6.1||MEDIUM
EPSS-40.74% / 97.27%
||
7 Day CHG~0.00%
Published-23 Aug, 2017 | 19:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).

Action-Not Available
Vendor-Atlassian
Product-oauthAtlassian OAuth Plugin
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-43956
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-6.1||MEDIUM
EPSS-0.37% / 58.22%
||
7 Day CHG~0.00%
Published-16 Mar, 2022 | 00:55
Updated-03 Oct, 2024 | 14:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability.

Action-Not Available
Vendor-Atlassian
Product-fisheyecrucibleFisheyeCrucible
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2017-18033
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-6.5||MEDIUM
EPSS-0.08% / 24.38%
||
7 Day CHG~0.00%
Published-18 Jan, 2018 | 14:00
Updated-17 Sep, 2024 | 03:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery (CSRF) vulnerabilities.

Action-Not Available
Vendor-Atlassian
Product-jiraJira
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-18088
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 42.43%
||
7 Day CHG~0.00%
Published-15 Feb, 2018 | 13:00
Updated-05 Aug, 2024 | 21:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Various plugin servlet resources in Atlassian Bitbucket Server before version 5.3.7 (the fixed version for 5.3.x), from version 5.4.0 before 5.4.6 (the fixed version for 5.4.x), from version 5.5.0 before 5.5.6 (the fixed version for 5.5.x), from version 5.6.0 before 5.6.3 (the fixed version for 5.6.x), from version 5.7.0 before 5.7.1 (the fixed version for 5.7.x) and before 5.8.0 allow remote attackers to conduct clickjacking attacks via framing various resources that lacked clickjacking protection.

Action-Not Available
Vendor-n/aAtlassian
Product-bitbucketn/a
CWE ID-CWE-20
Improper Input Validation
CVE-2017-18109
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-6.1||MEDIUM
EPSS-0.15% / 35.30%
||
7 Day CHG~0.00%
Published-29 Mar, 2019 | 14:04
Updated-16 Sep, 2024 | 17:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect.

Action-Not Available
Vendor-Atlassian
Product-crowdCrowd
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2017-18103
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-4.7||MEDIUM
EPSS-0.17% / 38.44%
||
7 Day CHG~0.00%
Published-18 Jul, 2018 | 14:00
Updated-17 Sep, 2024 | 01:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The atlassian-http library, as used in various Atlassian products, before version 2.0.2 allows remote attackers to spoof web content in the Mozilla Firefox Browser through uploaded files that have a content-type of application/mathml+xml.

Action-Not Available
Vendor-Atlassian
Product-http_libraryatlassian-http
CWE ID-CWE-20
Improper Input Validation
CVE-2017-16862
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 38.29%
||
7 Day CHG~0.00%
Published-12 Jan, 2018 | 14:00
Updated-16 Sep, 2024 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery (CSRF) vulnerability.

Action-Not Available
Vendor-Atlassian
Product-jiraJira
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2014-2313
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 45.57%
||
7 Day CHG~0.00%
Published-07 Mar, 2014 | 20:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in the Importers plugin in Atlassian JIRA before 6.0.5 allows remote attackers to create arbitrary files via unspecified vectors.

Action-Not Available
Vendor-n/aAtlassianMicrosoft Corporation
Product-jirawindowsn/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-39124
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 38.26%
||
7 Day CHG~0.00%
Published-14 Sep, 2021 | 04:20
Updated-10 Oct, 2024 | 15:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Cross-Site Request Forgery (CSRF) failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request.

Action-Not Available
Vendor-Atlassian
Product-data_centerjiraJira ServerJira Data Center
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-8447
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.10%
||
7 Day CHG~0.00%
Published-23 Aug, 2019 | 13:49
Updated-16 Sep, 2024 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability.

Action-Not Available
Vendor-Atlassian
Product-jira_serverJira
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-20405
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 39.54%
||
7 Day CHG~0.00%
Published-06 Feb, 2020 | 03:10
Updated-16 Sep, 2024 | 22:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The JMX monitoring flag in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to turn the JMX monitoring flag off or on via a Cross-site request forgery (CSRF) vulnerability.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjira_data_centerJira Server
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-20415
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 35.16%
||
7 Day CHG~0.00%
Published-30 Jun, 2020 | 02:50
Updated-17 Sep, 2024 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before 8.1.0.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjira_software_data_centerjira_data_centerjiraJira Server
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-20401
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-6.5||MEDIUM
EPSS-0.33% / 55.01%
||
7 Day CHG~0.00%
Published-06 Feb, 2020 | 03:10
Updated-16 Sep, 2024 | 16:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery (CSRF) vulnerabilities.

Action-Not Available
Vendor-Atlassian
Product-jira_serverJira Server
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-20411
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 34.18%
||
7 Day CHG~0.00%
Published-29 Jun, 2020 | 05:30
Updated-16 Sep, 2024 | 17:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjira_data_centerjiraJira Server
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-14998
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 41.68%
||
7 Day CHG~0.00%
Published-11 Sep, 2019 | 13:56
Updated-16 Sep, 2024 | 22:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via "cookie tossing" a CSRF cookie from a subdomain of a Jira instance.

Action-Not Available
Vendor-Atlassian
Product-jira_serverJira
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-14999
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.02%
||
7 Day CHG~0.00%
Published-23 Aug, 2019 | 13:49
Updated-17 Sep, 2024 | 02:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Uninstall REST endpoint in Atlassian Universal Plugin Manager before version 2.22.19, from version 3.0.0 before version 3.0.3 and from version 4.0.0 before version 4.0.3 allows remote attackers to uninstall plugins using a Cross-Site Request Forgery (CSRF) vulnerability on an authenticated administrator.

Action-Not Available
Vendor-Atlassian
Product-universal_plugin_managerUniversal Plugin Manager
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-11585
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-6.1||MEDIUM
EPSS-0.16% / 36.72%
||
7 Day CHG~0.00%
Published-23 Aug, 2019 | 13:49
Updated-16 Sep, 2024 | 20:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjiraJira
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2019-11589
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-6.1||MEDIUM
EPSS-0.17% / 38.52%
||
7 Day CHG~0.00%
Published-23 Aug, 2019 | 13:49
Updated-17 Sep, 2024 | 04:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability.

Action-Not Available
Vendor-Atlassian
Product-jira_serverJira
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2019-11587
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-6.5||MEDIUM
EPSS-0.09% / 25.02%
||
7 Day CHG~0.00%
Published-23 Aug, 2019 | 13:49
Updated-17 Sep, 2024 | 02:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF).

Action-Not Available
Vendor-Atlassian
Product-jira_serverjiraJira
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-11586
Matching Score-8
Assigner-Atlassian
ShareView Details
Matching Score-8
Assigner-Atlassian
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.02%
||
7 Day CHG~0.00%
Published-23 Aug, 2019 | 13:49
Updated-16 Sep, 2024 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjiraJira
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-5227
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-4.8||MEDIUM
EPSS-0.16% / 36.71%
||
7 Day CHG~0.00%
Published-10 Apr, 2018 | 13:00
Updated-17 Sep, 2024 | 01:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Various administrative application link resources in Atlassian Application Links before version 5.4.4 allow remote attackers with administration rights to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the display url of a configured application link.

Action-Not Available
Vendor-Atlassian
Product-application_linksAtlassian Application Links
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-5229
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 38.95%
||
7 Day CHG~0.00%
Published-16 Jul, 2018 | 13:00
Updated-17 Sep, 2024 | 03:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The NotificationRepresentationFactoryImpl class in Atlassian Universal Plugin Manager before version 2.22.9 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of user submitted add-on names.

Action-Not Available
Vendor-Atlassian
Product-universal_plugin_managerUniversal Plugin Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-20827
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 38.95%
||
7 Day CHG~0.00%
Published-09 Aug, 2019 | 19:31
Updated-16 Sep, 2024 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter.

Action-Not Available
Vendor-Atlassian
Product-jiraJira
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-20240
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-4.8||MEDIUM
EPSS-0.18% / 39.16%
||
7 Day CHG~0.00%
Published-20 Feb, 2019 | 15:00
Updated-17 Sep, 2024 | 00:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter.

Action-Not Available
Vendor-Atlassian
Product-fisheyecrucibleFisheye and Crucible
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-20239
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.55% / 67.34%
||
7 Day CHG-0.01%
Published-30 Apr, 2019 | 15:28
Updated-16 Sep, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0.

Action-Not Available
Vendor-Atlassian
Product-confluence_data_centerfisheyejira_serverapplication_linksjira_data_centercruciblecrowdconfluence_serverAtlassian Application Links
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-20241
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 41.40%
||
7 Day CHG~0.00%
Published-20 Feb, 2019 | 15:00
Updated-17 Sep, 2024 | 00:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the wbuser parameter.

Action-Not Available
Vendor-Atlassian
Product-fisheyecrucibleFisheye and Crucible
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-4317
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 40.66%
||
7 Day CHG~0.00%
Published-10 Apr, 2017 | 03:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile.action page.

Action-Not Available
Vendor-n/aAtlassian
Product-confluenceAtlassian Confluence Server before 5.9.11
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-14587
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 41.40%
||
7 Day CHG~0.00%
Published-11 Oct, 2017 | 18:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The administration user deletion resource in Atlassian Fisheye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter.

Action-Not Available
Vendor-Atlassian
Product-fisheyecrucibleAtlassian Fisheye and Crucible
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-4318
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-4.8||MEDIUM
EPSS-0.17% / 38.03%
||
7 Day CHG~0.00%
Published-10 Apr, 2017 | 03:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name.

Action-Not Available
Vendor-n/aAtlassian
Product-jiraAtlassian JIRA Server before 7.1.9
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-20232
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.53%
||
7 Day CHG~0.00%
Published-13 Feb, 2019 | 18:00
Updated-16 Sep, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjiraJira
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-26083
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 48.68%
||
7 Day CHG~0.00%
Published-20 Jul, 2021 | 03:25
Updated-17 Oct, 2024 | 14:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Export HTML Report in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-Atlassian
Product-data_centerjira_serverjira_data_centerjiraJira ServerJira Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-26082
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 48.68%
||
7 Day CHG~0.00%
Published-20 Jul, 2021 | 03:25
Updated-11 Oct, 2024 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The XML Export in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a stored cross site scripting vulnerability.

Action-Not Available
Vendor-Atlassian
Product-data_centerjira_serverjira_data_centerjiraJira ServerJira Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-18034
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.14% / 34.12%
||
7 Day CHG~0.00%
Published-02 Feb, 2018 | 14:00
Updated-16 Sep, 2024 | 17:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The source browse resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch.

Action-Not Available
Vendor-Atlassian
Product-fisheyecrucibleFisheye and Crucible
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-4013
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 43.86%
||
7 Day CHG~0.00%
Published-01 Jun, 2020 | 06:35
Updated-16 Sep, 2024 | 20:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The review resource in Atlassian Fisheye and Crucible before version 4.8.1 allows remote attackers to inject arbitrary HTML or Javascript via a cross site scripting (XSS) vulnerability through the review objectives.

Action-Not Available
Vendor-Atlassian
Product-fisheyecrucibleFisheyeCrucible
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-4025
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-4.8||MEDIUM
EPSS-0.28% / 50.70%
||
7 Day CHG~0.00%
Published-01 Jul, 2020 | 01:35
Updated-16 Sep, 2024 | 22:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a rdf content type.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjira_software_data_centerjira_data_centerjiraJira Server and Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-4024
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.27% / 50.10%
||
7 Day CHG~0.00%
Published-01 Jul, 2020 | 01:35
Updated-16 Sep, 2024 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjira_software_data_centerjira_data_centerjiraJira Server and Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-36234
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-4.8||MEDIUM
EPSS-0.19% / 40.77%
||
7 Day CHG~0.00%
Published-15 Feb, 2021 | 00:00
Updated-16 Sep, 2024 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.

Action-Not Available
Vendor-Atlassian
Product-data_centerjira_serverjira_data_centerjiraJira ServerJira Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-36290
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.46% / 63.52%
||
7 Day CHG~0.00%
Published-26 Jul, 2022 | 04:05
Updated-03 Oct, 2024 | 18:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 before 7.6.3, and from version 7.7.0 before version 7.7.4 allows remote attackers with permission to edit a page or blog to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the page excerpt functionality.

Action-Not Available
Vendor-Atlassian
Product-confluence_data_centerconfluence_serverConfluence ServerConfluence Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-29444
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.27% / 50.35%
||
7 Day CHG~0.00%
Published-07 May, 2021 | 06:10
Updated-12 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions of Team Calendar in Confluence Server before 7.11.0 allow attackers to inject arbitrary HTML or Javascript via a Cross Site Scripting Vulnerability in admin global setting parameters.

Action-Not Available
Vendor-Atlassian
Product-confluence_serverconfluence_data_centerConfluence Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-14184
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-5.4||MEDIUM
EPSS-0.23% / 45.24%
||
7 Day CHG~0.00%
Published-12 Oct, 2020 | 03:15
Updated-17 Sep, 2024 | 00:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in Jira issue filter export files. The affected versions are before 8.5.9, from version 8.6.0 before 8.12.3, and from version 8.13.0 before 8.13.1.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjiraJira Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-14166
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-4.8||MEDIUM
EPSS-0.76% / 72.90%
||
7 Day CHG~0.00%
Published-01 Jul, 2020 | 01:35
Updated-16 Sep, 2024 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file.

Action-Not Available
Vendor-Atlassian
Product-jira_service_deskJira Service Desk Server and Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-21690
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-7.1||HIGH
EPSS-0.88% / 74.89%
||
7 Day CHG~0.00%
Published-21 Aug, 2024 | 16:05
Updated-30 Jul, 2025 | 13:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability was introduced in versions 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.1, 8.8.0, and 8.9.0 of Confluence Data Center and Server. This Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability, with a CVSS Score of 7.1, allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser and force a end user to execute unwanted actions on a web application in which they're currently authenticated which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.26 * Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.14 * Confluence Data Center and Server 9.0: Upgrade to a release greater than or equal to 9.0.1 See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives). This vulnerability was reported via our Bug Bounty program.

Action-Not Available
Vendor-Atlassian
Product-confluence_serverconfluence_data_centerConfluence ServerConfluence Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-21678
Matching Score-6
Assigner-Atlassian
ShareView Details
Matching Score-6
Assigner-Atlassian
CVSS Score-8.5||HIGH
EPSS-1.54% / 81.03%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:00
Updated-06 May, 2025 | 14:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center. This Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires no user interaction. Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions: ||Affected versions||Fixed versions|| |from 8.7.0 to 8.7.1|8.8.0 recommended or 8.7.2| |from 8.6.0 to 8.6.1|8.8.0 recommended| |from 8.5.0 to 8.5.4 LTS|8.8.0 recommended or 8.5.5 LTS or 8.5.6 LTS| |from 8.4.0 to 8.4.5|8.8.0 recommended or 8.5.6 LTS| |from 8.3.0 to 8.3.4|8.8.0 recommended or 8.5.6 LTS| |from 8.2.0 to 8.2.3|8.8.0 recommended or 8.5.6 LTS| |from 8.1.0 to 8.1.4|8.8.0 recommended or 8.5.6 LTS| |from 8.0.0 to 8.0.4|8.8.0 recommended or 8.5.6 LTS| |from 7.20.0 to 7.20.3|8.8.0 recommended or 8.5.6 LTS| |from 7.19.0 to 7.19.17 LTS|8.8.0 recommended or 8.5.6 LTS or 7.19.18 LTS or 7.19.19 LTS| |from 7.18.0 to 7.18.3|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS| |from 7.17.0 to 7.17.5|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS| |Any earlier versions|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS| Server Atlassian recommends that Confluence Server customers upgrade to the latest 8.5.x LTS version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:   ||Affected versions||Fixed versions|| |from 8.5.0 to 8.5.4 LTS|8.5.5 LTS or 8.5.6 LTS recommended | |from 8.4.0 to 8.4.5|8.5.6 LTS recommended| |from 8.3.0 to 8.3.4|8.5.6 LTS recommended| |from 8.2.0 to 8.2.3|8.5.6 LTS recommended| |from 8.1.0 to 8.1.4|8.5.6 LTS recommended| |from 8.0.0 to 8.0.4|8.5.6 LTS recommended| |from 7.20.0 to 7.20.3|8.5.6 LTS recommended| |from 7.19.0 to 7.19.17 LTS|8.5.6 LTS recommended or 7.19.18 LTS or 7.19.19 LTS| |from 7.18.0 to 7.18.3|8.5.6 LTS recommended or 7.19.19 LTS| |from 7.17.0 to 7.17.5|8.5.6 LTS recommended or 7.19.19 LTS| |Any earlier versions|8.5.6 LTS recommended or 7.19.19 LTS| See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]). This vulnerability was reported via our Bug Bounty program.

Action-Not Available
Vendor-Atlassian
Product-confluence_data_centerconfluence_serverConfluence Data Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 247
  • 248
  • Next
Details not found