Vulnerabilities > Atlassian
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-03-29 | CVE-2017-18111 | XXE vulnerability in Atlassian Application Links The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. | 8.7 |
| 2019-03-29 | CVE-2017-18110 | XXE vulnerability in Atlassian Crowd The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability. | 6.5 |
| 2019-03-29 | CVE-2017-18109 | Open Redirect vulnerability in Atlassian Crowd The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect. | 6.1 |
| 2019-03-29 | CVE-2017-18108 | Code Injection vulnerability in Atlassian Crowd The administration SMTP configuration resource in Atlassian Crowd before version 2.10.2 allows remote attackers with administration rights to execute arbitrary code via a JNDI injection. | 7.2 |
| 2019-03-29 | CVE-2017-18106 | Improper Authentication vulnerability in Atlassian Crowd The identifier_hash for a session token in Atlassian Crowd before version 2.9.1 could potentially collide with an identifier_hash for another user or a user in a different directory, this allows remote attackers who can authenticate to Crowd or an application using Crowd for authentication to gain access to another user's session provided they can make their identifier hash collide with another user's session identifier hash. | 7.5 |
| 2019-03-29 | CVE-2017-18105 | Session Fixation vulnerability in Atlassian Crowd The console login resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers, who have previously obtained a user's JSESSIONID cookie, to gain access to some of the built-in and potentially third party rest resources via a session fixation vulnerability. | 8.1 |
| 2019-03-25 | CVE-2019-3396 | Path Traversal vulnerability in Atlassian Confluence The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection. | 9.8 |
| 2019-03-25 | CVE-2019-3395 | Server-Side Request Forgery (SSRF) vulnerability in Atlassian Confluence The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery. | 9.8 |
| 2019-03-08 | CVE-2018-20236 | Command Injection vulnerability in Atlassian Sourcetree There was an command injection vulnerability in Sourcetree for Windows from version 0.5a before version 3.0.10 via URI handling. | 8.8 |
| 2019-03-08 | CVE-2018-20235 | Unspecified vulnerability in Atlassian Sourcetree There was an argument injection vulnerability in Atlassian Sourcetree for Windows from version 0.5a before version 3.0.15 via filenames in Mercurial repositories. | 8.8 |