Vulnerabilities > Atlassian > Confluence Server
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-12-19 | CVE-2019-15006 | Improper Control of Dynamically-Managed Code Resources vulnerability in Atlassian Confluence and Confluence Server There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. | 6.5 |
| 2019-08-29 | CVE-2019-3394 | Path Traversal vulnerability in Atlassian Confluence There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. | 8.8 |
| 2019-04-30 | CVE-2018-20239 | Cross-site Scripting vulnerability in Atlassian products Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. | 5.4 |
| 2019-04-18 | CVE-2019-3398 | Path Traversal vulnerability in Atlassian Confluence Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. | 8.8 |
| 2019-03-25 | CVE-2019-3396 | Path Traversal vulnerability in Atlassian Confluence The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection. | 9.8 |
| 2019-03-25 | CVE-2019-3395 | Server-Side Request Forgery (SSRF) vulnerability in Atlassian Confluence The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery. | 9.8 |
| 2019-02-13 | CVE-2018-20237 | Exposure of Resource to Wrong Sphere vulnerability in Atlassian Confluence Server Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature. | 6.5 |
| 2017-04-27 | CVE-2017-7415 | Information Exposure vulnerability in Atlassian Confluence Server Atlassian Confluence 6.x before 6.0.7 allows remote attackers to bypass authentication and read any blog or page via the drafts diff REST resource. | 7.5 |
| 2017-01-23 | CVE-2016-6668 | Information Exposure vulnerability in Atlassian Confluence Server and Jira Integration for Hipchat The Atlassian Hipchat Integration Plugin for Bitbucket Server 6.26.0 before 6.27.5, 6.28.0 before 7.3.7, and 7.4.0 before 7.8.17; Confluence HipChat plugin 6.26.0 before 7.8.17; and HipChat for JIRA plugin 6.26.0 before 7.8.17 allows remote attackers to obtain the secret key for communicating with HipChat instances by reading unspecified pages. | 7.5 |
| 2012-05-22 | CVE-2012-2926 | Unspecified vulnerability in Atlassian products Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors. | 9.1 |