Vulnerabilities > Atlassian > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-05-25 | CVE-2023-22504 | Unrestricted Upload of File with Dangerous Type vulnerability in Atlassian Confluence Server Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature. | 6.5 |
2023-05-01 | CVE-2023-22503 | Unspecified vulnerability in Atlassian Confluence Data Center Affected versions of Atlassian Confluence Server and Data Center allow anonymous remote attackers to view the names of attachments and labels in a private Confluence space. | 5.3 |
2022-10-14 | CVE-2022-36802 | Server-Side Request Forgery (SSRF) vulnerability in Atlassian Jira Align The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. | 4.9 |
2022-08-03 | CVE-2022-36800 | Unspecified vulnerability in Atlassian Jira Service Management Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers without the "Browse Users" permission to view groups via an Information Disclosure vulnerability in the browsegroups.action endpoint. | 4.3 |
2022-06-30 | CVE-2022-26135 | Server-Side Request Forgery (SSRF) vulnerability in Atlassian products A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. | 4.0 |
2022-04-05 | CVE-2021-39114 | Code Injection vulnerability in Atlassian Confluence Data Center and Confluence Server Affected versions of Atlassian Confluence Server and Data Center allow users with a valid account on a Confluence Data Center instance to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload. | 6.5 |
2022-03-16 | CVE-2021-43955 | Unspecified vulnerability in Atlassian Crucible The /rest-service-fecru/server-v1 resource in Fisheye and Crucible before version 4.8.9 allowed authenticated remote attackers to obtain information about installation directories via information disclosure vulnerability. | 4.3 |
2022-03-16 | CVE-2021-43956 | Unspecified vulnerability in Atlassian Crucible The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability. network atlassian | 4.3 |
2022-03-16 | CVE-2021-43957 | Authorization Bypass Through User-Controlled Key vulnerability in Atlassian Crucible Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-29446 due to a lack of url decoding. | 5.0 |
2022-03-14 | CVE-2021-43954 | Server-Side Request Forgery (SSRF) vulnerability in Atlassian Crucible The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability. | 4.0 |