Vulnerabilities > Atlassian > Crowd
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-11-21 | CVE-2023-22521 | Unspecified vulnerability in Atlassian Crowd This High severity RCE (Remote Code Execution) vulnerability was introduced in version 3.4.6 of Crowd Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.0, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Crowd Data Center and Server 3.4: Upgrade to a release greater than or equal to 5.1.6 Crowd Data Center and Server 5.2: Upgrade to a release greater than or equal to 5.2.1 See the release notes ([https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html]). | 8.8 |
2022-11-17 | CVE-2022-43782 | Unspecified vulnerability in Atlassian Crowd Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the {{usermanagement}} path. This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default. The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3 | 9.8 |
2021-03-01 | CVE-2020-36240 | Information Exposure vulnerability in Atlassian Crowd The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. | 5.0 |
2020-02-06 | CVE-2019-20104 | XML Entity Expansion vulnerability in Atlassian Crowd The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability. | 5.0 |
2019-12-17 | CVE-2017-18107 | Cross-Site Request Forgery (CSRF) vulnerability in Atlassian Crowd Various resources in the Crowd Demo application of Atlassian Crowd before version 3.1.1 allow remote attackers to modify add, modify and delete users & groups via a Cross-site request forgery (CSRF) vulnerability. | 4.0 |
2019-11-08 | CVE-2019-15005 | Missing Authorization vulnerability in Atlassian products The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. | 4.0 |
2019-06-03 | CVE-2019-11580 | Unspecified vulnerability in Atlassian Crowd Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. | 7.5 |
2019-04-30 | CVE-2018-20239 | Cross-site Scripting vulnerability in Atlassian products Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. | 3.5 |
2019-03-29 | CVE-2017-18110 | XXE vulnerability in Atlassian Crowd The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability. | 4.0 |
2019-03-29 | CVE-2017-18109 | Open Redirect vulnerability in Atlassian Crowd The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect. | 5.8 |