Export limit exceeded: 357822 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (471 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-42977 | 1 Atlassian | 1 Confluence Data Center | 2025-04-30 | 7.5 High |
| The Netic User Export add-on before 1.3.5 for Atlassian Confluence has the functionality to generate a list of users in the application, and export it. During export, the HTTP request has a fileName parameter that accepts any file on the system (e.g., an SSH private key) to be downloaded. | ||||
| CVE-2022-42978 | 1 Atlassian | 1 Confluence Data Center | 2025-04-30 | 7.5 High |
| In the Netic User Export add-on before 1.3.5 for Atlassian Confluence, authorization is mishandled. An unauthenticated attacker could access files on the remote system. | ||||
| CVE-2024-21682 | 1 Atlassian | 1 Assets Discovery Data Center | 2025-04-30 | 7.2 High |
| This High severity Injection vulnerability was introduced in Assets Discovery 1.0 - 6.2.0 (all versions). Assets Discovery, which can be downloaded via Atlassian Marketplace, is a network scanning tool that can be used with or without an agent with Jira Service Management Cloud, Data Center or Server. It detects hardware and software that is connected to your local network and extracts detailed information about each asset. This data can then be imported into Assets in Jira Service Management to help you manage all of the devices and configuration items within your local network. This Injection vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to modify the actions taken by a system call which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Assets Discovery customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions See the release notes (https://confluence.atlassian.com/assetapps/assets-discovery-3-2-1-cloud-6-2-1-data_center-1333987182.html). You can download the latest version of Assets Discovery from the Atlassian Marketplace (https://marketplace.atlassian.com/apps/1214668/assets-discovery?hosting=datacenter&tab=installation). This vulnerability was reported via our Penetration Testing program. | ||||
| CVE-2016-6283 | 1 Atlassian | 1 Confluence | 2025-04-20 | N/A |
| Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.10.6 allows remote attackers to inject arbitrary web script or HTML via the newFileName parameter to pages/doeditattachment.action. | ||||
| CVE-2016-4318 | 1 Atlassian | 1 Jira | 2025-04-20 | N/A |
| Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name. | ||||
| CVE-2017-9506 | 1 Atlassian | 1 Oauth | 2025-04-20 | N/A |
| The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF). | ||||
| CVE-2016-4319 | 1 Atlassian | 1 Jira | 2025-04-20 | N/A |
| Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings. | ||||
| CVE-2017-9514 | 1 Atlassian | 1 Bamboo | 2025-04-20 | N/A |
| Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo. | ||||
| CVE-2015-6576 | 1 Atlassian | 1 Bamboo | 2025-04-20 | N/A |
| Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource. | ||||
| CVE-2017-14588 | 1 Atlassian | 2 Crucible, Fisheye | 2025-04-20 | N/A |
| Various resources in Atlassian Fisheye and Crucible before version 4.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the dialog parameter. | ||||
| CVE-2017-9508 | 1 Atlassian | 2 Crucible, Fisheye | 2025-04-20 | N/A |
| Various resources in Atlassian Fisheye and Crucible before version 4.4.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a repository or review file. | ||||
| CVE-2017-9511 | 2 Atlassian, Microsoft | 3 Crucible, Fisheye, Windows | 2025-04-20 | 7.5 High |
| The MultiPathResource class in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to read arbitrary files via a path traversal vulnerability when Fisheye or Crucible is running on the Microsoft Windows operating system. | ||||
| CVE-2016-4320 | 1 Atlassian | 1 Bitbucket | 2025-04-20 | N/A |
| Atlassian Bitbucket Server before 4.7.1 allows remote attackers to read the first line of an arbitrary file via a directory traversal attack on the pull requests resource. | ||||
| CVE-2017-14587 | 1 Atlassian | 2 Crucible, Fisheye | 2025-04-20 | N/A |
| The administration user deletion resource in Atlassian Fisheye and Crucible before version 4.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the uname parameter. | ||||
| CVE-2017-14590 | 1 Atlassian | 1 Bamboo | 2025-04-20 | N/A |
| Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least one linked Mercurial repository that the attacker has permission to use, or commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled can execute code of their choice on systems that run a vulnerable version of Bamboo Server. Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability. | ||||
| CVE-2017-14589 | 1 Atlassian | 1 Bamboo | 2025-04-20 | N/A |
| It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability. | ||||
| CVE-2017-8907 | 1 Atlassian | 1 Bamboo | 2025-04-20 | 8.8 High |
| Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo. | ||||
| CVE-2016-6668 | 1 Atlassian | 2 Confluence Server, Jira Integration For Hipchat | 2025-04-20 | 7.5 High |
| The Atlassian Hipchat Integration Plugin for Bitbucket Server 6.26.0 before 6.27.5, 6.28.0 before 7.3.7, and 7.4.0 before 7.8.17; Confluence HipChat plugin 6.26.0 before 7.8.17; and HipChat for JIRA plugin 6.26.0 before 7.8.17 allows remote attackers to obtain the secret key for communicating with HipChat instances by reading unspecified pages. | ||||
| CVE-2017-8768 | 1 Atlassian | 1 Sourcetree | 2025-04-20 | N/A |
| Atlassian SourceTree v2.5c and prior are affected by a command injection in the handling of the sourcetree:// scheme. It will lead to arbitrary OS command execution with a URL substring of sourcetree://cloneRepo/ext:: or sourcetree://checkoutRef/ext:: followed by the command. The Atlassian ID number is SRCTREE-4632. | ||||
| CVE-2016-4317 | 1 Atlassian | 1 Confluence | 2025-04-20 | N/A |
| Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile.action page. | ||||