Vulnerabilities > Atlassian > Crowd > 3.2.8

DATE CVE VULNERABILITY TITLE RISK
2022-11-17 CVE-2022-43782 Unspecified vulnerability in Atlassian Crowd
Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the {{usermanagement}} path. This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default. The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3
network
low complexity
atlassian
critical
9.8
2021-03-01 CVE-2020-36240 Information Exposure vulnerability in Atlassian Crowd
The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.
network
low complexity
atlassian CWE-200
5.0
2020-02-06 CVE-2019-20104 XML Entity Expansion vulnerability in Atlassian Crowd
The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability.
network
low complexity
atlassian CWE-776
5.0
2019-11-08 CVE-2019-15005 Missing Authorization vulnerability in Atlassian products
The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check.
network
low complexity
atlassian CWE-862
4.0
2019-04-30 CVE-2018-20239 Cross-site Scripting vulnerability in Atlassian products
Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter.
network
atlassian CWE-79
3.5