Vulnerabilities > Atlassian

DATE CVE VULNERABILITY TITLE RISK
2019-12-17 CVE-2017-18107 Cross-Site Request Forgery (CSRF) vulnerability in Atlassian Crowd
Various resources in the Crowd Demo application of Atlassian Crowd before version 3.1.1 allow remote attackers to modify add, modify and delete users & groups via a Cross-site request forgery (CSRF) vulnerability.
network
low complexity
atlassian CWE-352
6.5
2019-12-13 CVE-2019-13347 Unspecified vulnerability in Atlassian Saml Single Sign on
An issue was discovered in the SAML Single Sign On (SSO) plugin for several Atlassian products affecting versions 3.1.0 through 3.2.2 for Jira and Confluence, versions 2.4.0 through 3.0.3 for Bitbucket, and versions 2.4.0 through 2.5.2 for Bamboo.
network
high complexity
atlassian
7.5
2019-12-11 CVE-2019-15009 Unspecified vulnerability in Atlassian Crucible
The /json/profile/removeStarAjax.do resource in Atlassian Fisheye and Crucible before version 4.8.0 allows remote attackers to remove another user's favourite setting for a project via an improper authorization vulnerability.
network
low complexity
atlassian
4.3
2019-12-11 CVE-2019-15008 Cross-site Scripting vulnerability in Atlassian Crucible
The /plugins/servlet/branchreview resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the reviewedBranch parameter.
network
low complexity
atlassian CWE-79
6.1
2019-12-11 CVE-2019-15007 Cross-site Scripting vulnerability in Atlassian Crucible
The review resource in Atlassian Fisheye and Crucible before version 4.7.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a missing branch.
network
low complexity
atlassian CWE-79
4.8
2019-11-08 CVE-2019-15005 Missing Authorization vulnerability in Atlassian products
The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check.
network
low complexity
atlassian CWE-862
4.3
2019-11-07 CVE-2019-15004 Path Traversal vulnerability in Atlassian Jira Service Desk
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability.
network
low complexity
atlassian CWE-22
7.5
2019-11-07 CVE-2019-15003 Path Traversal vulnerability in Atlassian Jira Service Desk
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via authorization bypass.
network
low complexity
atlassian CWE-22
5.3
2019-09-19 CVE-2019-15001 Code Injection vulnerability in Atlassian Jira Server
The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request.
network
low complexity
atlassian CWE-94
7.2
2019-09-19 CVE-2019-15000 OS Command Injection vulnerability in Atlassian Bitbucket
The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) allows remote attackers who have permission to access a repository, if public access is enabled for a project or repository then attackers are able to exploit this issue anonymously, to read the contents of arbitrary files on the system and execute commands via injecting additional arguments into git commands.
network
low complexity
atlassian CWE-78
critical
9.8