Vulnerabilities > Atlassian > Confluence Server > Critical

DATE CVE VULNERABILITY TITLE RISK
2024-01-16 CVE-2023-22527 Injection vulnerability in Atlassian Confluence Data Center and Confluence Server
A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance.
network
low complexity
atlassian CWE-74
critical
9.8
2023-10-31 CVE-2023-22518 Incorrect Authorization vulnerability in Atlassian Confluence Data Center
All versions of Confluence Data Center and Server are affected by this unexploited vulnerability.
network
low complexity
atlassian CWE-863
critical
9.8
2023-10-04 CVE-2023-22515 Unspecified vulnerability in Atlassian Confluence Data Center and Confluence Server
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.
network
low complexity
atlassian
critical
9.8
2022-07-20 CVE-2022-26136 Improper Authentication vulnerability in Atlassian products
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps.
network
low complexity
atlassian CWE-287
critical
9.8
2022-06-03 CVE-2022-26134 Expression Language Injection vulnerability in Atlassian Confluence Data Center and Confluence Server
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.
network
low complexity
atlassian CWE-917
critical
9.8
2021-08-30 CVE-2021-26084 Expression Language Injection vulnerability in Atlassian Confluence Data Center and Confluence Server
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.
network
low complexity
atlassian CWE-917
critical
9.8
2019-03-25 CVE-2019-3395 Server-Side Request Forgery (SSRF) vulnerability in Atlassian Confluence
The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery.
network
low complexity
atlassian CWE-918
critical
9.8
2019-03-25 CVE-2019-3396 Path Traversal vulnerability in Atlassian Confluence
The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
network
low complexity
atlassian CWE-22
critical
9.8
2012-05-22 CVE-2012-2926 Unspecified vulnerability in Atlassian products
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
network
low complexity
atlassian
critical
9.1