Vulnerabilities > Atlassian > Confluence Server
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-07-24 | CVE-2020-14175 | Cross-site Scripting vulnerability in Atlassian Confluence Server Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in user macro parameters. | 5.4 |
| 2020-07-01 | CVE-2020-4027 | Injection vulnerability in Atlassian Confluence Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. | 4.7 |
| 2020-04-22 | CVE-2019-20102 | Cross-site Scripting vulnerability in Atlassian Confluence Server The attachment-uploading feature in Atlassian Confluence Server from version 6.14.0 through version 6.14.3, and version 6.15.0 before version 6.15.5 allows remote attackers to achieve stored cross-site- scripting (SXSS) via a malicious attachment with a modified `mimeType` parameter. | 6.1 |
| 2020-02-06 | CVE-2019-20406 | Uncontrolled Search Path Element vulnerability in Atlassian Confluence The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, and from version 7.1.0 before version 7.1.1 allows local system attackers who have permission to write a DLL file in a directory in the global path environmental variable variable to inject code & escalate their privileges via a DLL hijacking vulnerability. | 7.8 |
| 2019-12-19 | CVE-2019-15006 | Improper Control of Dynamically-Managed Code Resources vulnerability in Atlassian Confluence and Confluence Server There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. | 6.5 |
| 2019-08-29 | CVE-2019-3394 | Path Traversal vulnerability in Atlassian Confluence There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. | 8.8 |
| 2019-04-30 | CVE-2018-20239 | Cross-site Scripting vulnerability in Atlassian products Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. | 5.4 |
| 2019-04-18 | CVE-2019-3398 | Path Traversal vulnerability in Atlassian Confluence Server Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. | 8.8 |
| 2019-03-25 | CVE-2019-3396 | Path Traversal vulnerability in Atlassian Confluence Server The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection. | 9.8 |
| 2019-03-25 | CVE-2019-3395 | Server-Side Request Forgery (SSRF) vulnerability in Atlassian Confluence The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery. | 9.8 |