IDCVSSSummaryLast (major) updatePublished
CVE-2012-2926 6.4
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before
13-12-2021 - 16:01 22-05-2012 - 15:55
CVE-2019-15005 4.0
The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message m
14-11-2019 - 21:15 08-11-2019 - 04:15
CVE-2012-2928 6.4
The Gliffy plugin before 3.7.1 for Atlassian JIRA, and before 4.2 for Atlassian Confluence, does not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (re
14-05-2022 - 03:25 22-05-2012 - 15:55
CVE-2020-14181 5.0
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version
25-03-2022 - 18:14 17-09-2020 - 01:15
CVE-2020-36237 5.0
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are befor
21-07-2021 - 11:39 15-02-2021 - 00:15
CVE-2020-36234 3.5
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from v
30-03-2022 - 13:29 15-02-2021 - 00:15
CVE-2020-29451 4.0
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate Jira projects via an Information Disclosure vulnerability in the Jira Projects plugin report page. The affected versions are before version 8.5.11, from ve
25-03-2022 - 18:14 15-02-2021 - 01:15
CVE-2021-26070 6.4
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the `makeRequest` gadget resource. The affected versions ar
25-03-2022 - 18:14 22-03-2021 - 05:15
CVE-2021-26069 5.0
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations
30-03-2022 - 13:29 22-03-2021 - 05:15
CVE-2021-26071 3.5
The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software co
30-03-2022 - 13:29 01-04-2021 - 03:15
CVE-2020-36238 5.0
The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or n
30-03-2022 - 13:29 01-04-2021 - 03:15
CVE-2020-36286 5.0
The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members
30-03-2022 - 13:29 01-04-2021 - 03:15
CVE-2020-36287 5.0
The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related setting
30-03-2022 - 13:29 09-04-2021 - 02:15
CVE-2021-26075 4.0
The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated attackers to obtain the full path o
30-03-2022 - 13:29 15-04-2021 - 00:15
CVE-2020-36288 4.3
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DO
30-03-2022 - 13:29 15-04-2021 - 00:15
CVE-2021-26076 4.3
The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can per
30-03-2022 - 13:29 15-04-2021 - 00:15
CVE-2020-36289 5.0
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version
30-03-2022 - 13:29 12-05-2021 - 04:15
CVE-2021-26079 4.3
The CardLayoutConfigTable component in Jira Server and Jira Data Center before version 8.5.15, and from version 8.6.0 before version 8.13.7, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cr
30-03-2022 - 13:29 07-06-2021 - 23:15
CVE-2021-26078 4.3
The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a c
22-04-2022 - 16:19 07-06-2021 - 23:15
CVE-2021-26083 3.5
Export HTML Report in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting
30-03-2022 - 13:29 20-07-2021 - 04:15
CVE-2021-26082 3.5
The XML Export in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a stored cross site scripti
30-03-2022 - 13:29 20-07-2021 - 04:15
CVE-2021-26081 5.0
REST API in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to enumerate usernames via a Sensitive Data Exposure vulnerability in the `/
30-03-2022 - 13:29 20-07-2021 - 04:15
CVE-2017-18113 6.8
The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (R
10-08-2021 - 13:51 02-08-2021 - 03:15
CVE-2021-39112 4.9
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to redirect users to a malicious URL via a reverse tabnapping vulnerability in the Project Shortcuts feature. The affected versions are before version 8.5.15, from vers
30-03-2022 - 13:29 25-08-2021 - 03:15
CVE-2021-39117 3.5
The AssociateFieldToScreens page in Atlassian Jira Server and Data Center before version 8.18.0 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability via the name of a custom field.
02-09-2021 - 02:41 30-08-2021 - 07:15
CVE-2021-39113 5.0
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions ar
30-03-2022 - 13:29 30-08-2021 - 07:15
CVE-2021-39111 4.3
The Editor plugin in Atlassian Jira Server and Data Center before version 8.5.18, from 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnera
30-03-2022 - 13:29 30-08-2021 - 07:15
CVE-2021-39119 5.0
Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after their Jira account is revoked, via a Broken Access Control vulnerability in the issue notification
10-09-2021 - 15:40 01-09-2021 - 23:15
CVE-2021-39121 4.0
Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to enumerate the keys of private Jira projects via an Information Disclosure vulnerability in the /rest/api/latest/projectvalidate/key endpoint. The affec
30-03-2022 - 13:29 08-09-2021 - 02:15
CVE-2021-39122 5.0
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view users' emails via an Information Disclosure vulnerability in the /rest/api/2/search endpoint. The affected versions are before version 8.5.13, from ve
30-03-2022 - 13:29 08-09-2021 - 02:15
CVE-2021-39125 5.0
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to discover the usernames of users via an enumeration vulnerability in the password reset page. The affected versions are before version 8.5.10, and from vers
25-03-2022 - 18:14 14-09-2021 - 07:15
CVE-2021-39124 4.3
The Cross-Site Request Forgery (CSRF) failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted req
24-02-2022 - 20:18 14-09-2021 - 05:15
CVE-2021-39123 5.0
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the /rest/gadget/1.0/createdVsResolved/generate endpoint. The af
24-09-2021 - 12:18 14-09-2021 - 05:15
CVE-2021-39118 5.0
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. The affected versions are before version 8.19.0
24-09-2021 - 12:36 14-09-2021 - 05:15
CVE-2019-20101 5.0
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view whitelist rules via a Broken Access Control vulnerability in the /rest/whitelist/<version>/check endpoint. The affected versions are before version 8.
18-10-2021 - 12:13 14-09-2021 - 05:15
CVE-2021-39128 6.5
Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Te
12-05-2022 - 01:01 16-09-2021 - 06:15
CVE-2021-41304 4.3
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affect
30-03-2022 - 13:29 26-10-2021 - 05:15
CVE-2021-41312 5.0
Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication
04-11-2021 - 21:08 03-11-2021 - 04:15
CVE-2021-43946 4.0
Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to add administrator groups to filter subscriptions via a Broken Access Control vulnerability in the /secure/EditSubscription.jspa endpoint. The affected
12-01-2022 - 18:25 05-01-2022 - 04:15
CVE-2021-43947 9.0
Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of h
30-03-2022 - 13:29 06-01-2022 - 01:15
CVE-2021-43941 4.3
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify several resources (including CsvFieldMappingsPage.jspa and ImporterValueMappingsPage.jspa) via a Cross-Site Request Forgery (CSRF) vulnerability in the jira-i
30-03-2022 - 13:29 15-02-2022 - 04:15
CVE-2021-43953 4.3
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentati
25-04-2022 - 19:35 15-02-2022 - 03:15
CVE-2021-43952 4.3
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to restore the default configuration of fields via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/RestoreDefaults.jspa endpoint.
23-02-2022 - 02:20 15-02-2022 - 01:15
CVE-2021-43945 3.5
Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConf
08-03-2022 - 17:17 28-02-2022 - 01:15
CVE-2020-14183 4.0
Affected versions of Jira Server & Data Center allow a remote attacker with limited (non-admin) privileges to view a Jira instance's Support Entitlement Number (SEN) via an Information Disclosure vulnerability in the HTTP Response headers. The affect
19-10-2020 - 13:51 06-10-2020 - 23:15
CVE-2008-6531 6.8
The WebWork 1 web application framework in Atlassian JIRA before 3.13.2 allows remote attackers to invoke exposed public JIRA methods via a crafted URL that is dynamically transformed into method calls, aka "WebWork 1 Parameter Injection Hole."
17-08-2017 - 01:29 26-03-2009 - 21:00
CVE-2014-2313 4.3
Directory traversal vulnerability in the Importers plugin in Atlassian JIRA before 6.0.5 allows remote attackers to create arbitrary files via unspecified vectors. Per: https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26
10-03-2014 - 16:38 09-03-2014 - 13:16
CVE-2014-2314 4.3
Directory traversal vulnerability in the Issue Collector plugin in Atlassian JIRA before 6.0.4 allows remote attackers to create arbitrary files via unspecified vectors. Per: https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-0
29-07-2015 - 16:21 09-03-2014 - 13:16
CVE-2012-2927 4.0
The TM Software Tempo plugin before 6.4.3.1, 6.5.x before 6.5.0.2, and 7.x before 7.0.3 for Atlassian JIRA does not properly restrict the capabilities of third-party XML parsers, which allows remote authenticated users to cause a denial of service (r
29-08-2017 - 01:31 22-05-2012 - 15:55
CVE-2019-11586 4.3
The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerabilit
25-03-2022 - 17:20 23-08-2019 - 14:15
CVE-2017-14594 4.3
The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version 7.3.0 before 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jqlQuery query
28-03-2022 - 13:05 12-01-2018 - 14:29
CVE-2019-11587 4.3
Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (C
25-03-2022 - 17:20 23-08-2019 - 14:15
CVE-2017-16865 3.5
The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to a
02-02-2018 - 15:24 17-01-2018 - 14:29
CVE-2019-11584 4.3
The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the priority icon url of an issue priority.
26-08-2019 - 19:43 23-08-2019 - 14:15
CVE-2017-16863 4.3
The PieChart gadget in Atlassian Jira before version 7.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a project or filter.
05-02-2018 - 14:51 18-01-2018 - 18:29
CVE-2019-11588 4.3
The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request for
25-03-2022 - 17:20 23-08-2019 - 14:15
CVE-2016-4319 6.8
Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings.
16-02-2018 - 02:29 10-04-2017 - 03:59
CVE-2017-16862 4.3
The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery (CSRF) vulnerability.
31-01-2018 - 18:08 12-01-2018 - 14:29
CVE-2019-11585 5.8
The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a p
25-03-2022 - 17:20 23-08-2019 - 14:15
CVE-2013-5319 4.3
Cross-site scripting (XSS) vulnerability in secure/admin/user/views/deleteuserconfirm.jsp in the Admin Panel in Atlassian JIRA before 6.0.5 allows remote attackers to inject arbitrary web script or HTML via the name parameter to secure/admin/user/Del
21-08-2013 - 14:05 20-08-2013 - 14:55
CVE-2017-16864 4.3
The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the orderby parameter.
31-01-2018 - 18:32 12-01-2018 - 14:29
CVE-2016-4318 3.5
Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name.
16-02-2018 - 02:29 10-04-2017 - 03:59
CVE-2019-11583 4.0
The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by "Epic Name".
24-08-2020 - 17:37 26-06-2019 - 16:15
CVE-2020-14172 7.5
This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center in affected vers
03-05-2022 - 13:59 03-07-2020 - 02:15
CVE-2017-18104 4.3
The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should
25-03-2022 - 17:22 24-07-2018 - 13:29
CVE-2016-6285 4.3
Cross-site scripting (XSS) vulnerability in includes/decorators/global-translations.jsp in Atlassian JIRA before 7.2.2 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
03-02-2017 - 16:10 31-01-2017 - 22:59
CVE-2018-13401 5.8
The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.
25-03-2022 - 17:22 23-10-2018 - 13:29
CVE-2018-13387 4.3
The IncomingMailServers resource in Atlassian JIRA Server before version 7.6.7, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3 and from version 7.10.0 before version 7.10.2 al
25-03-2022 - 17:22 16-07-2018 - 13:29
CVE-2020-14174 4.0
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are bef
30-03-2022 - 13:21 13-07-2020 - 05:15
CVE-2017-18033 4.3
The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery (CSRF) vulnerabilities.
05-02-2018 - 14:51 18-01-2018 - 14:29
CVE-2017-18100 4.3
The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of quick filters.
14-05-2018 - 15:23 10-04-2018 - 13:29
CVE-2018-13395 4.3
Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 a
25-03-2022 - 17:22 28-08-2018 - 12:29
CVE-2018-13402 5.8
Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before ve
25-03-2022 - 17:22 23-10-2018 - 13:29
CVE-2017-18097 3.5
The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability
09-05-2018 - 18:04 06-04-2018 - 13:29
CVE-2018-13403 3.5
The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross s
25-03-2022 - 17:22 13-02-2019 - 18:29
CVE-2017-18101 6.4
Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attack
22-04-2022 - 20:40 10-04-2018 - 13:29
CVE-2020-14173 3.5
The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. The affected versions are before version 8.5.4, from
30-03-2022 - 13:21 03-07-2020 - 02:15
CVE-2019-15013 4.0
The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to
25-03-2022 - 17:20 18-12-2019 - 04:15
CVE-2018-13391 5.0
The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from ver
25-03-2022 - 17:22 28-08-2018 - 12:29
CVE-2017-18098 4.3
The searchrequest-xml resource in Atlassian Jira before version 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through various fields.
09-05-2018 - 18:04 06-04-2018 - 13:29
CVE-2020-14168 4.3
The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via ma
30-03-2022 - 13:17 01-07-2020 - 02:15
CVE-2020-4029 4.0
The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization
30-03-2022 - 13:21 01-07-2020 - 02:15
CVE-2020-4028 5.0
Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not throu
08-07-2020 - 14:26 23-06-2020 - 13:15
CVE-2020-14169 4.3
The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability
09-07-2020 - 16:25 01-07-2020 - 02:15
CVE-2020-4021 3.5
Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view.
30-03-2022 - 13:21 01-06-2020 - 07:15
CVE-2020-14167 5.0
The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application's availability via an Denial of S
30-03-2022 - 13:17 01-07-2020 - 02:15
CVE-2018-13400 6.5
Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from versio
25-03-2022 - 17:22 23-10-2018 - 13:29
CVE-2018-13404 4.0
The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from
25-03-2022 - 17:22 13-02-2019 - 18:29
CVE-2020-4022 4.3
The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerabi
30-03-2022 - 13:21 01-07-2020 - 02:15
CVE-2020-4025 3.5
The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inje
30-03-2022 - 13:21 01-07-2020 - 02:15
CVE-2020-14178 5.0
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version
30-03-2022 - 13:21 01-09-2020 - 05:15
CVE-2020-14165 5.0
The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability.
21-07-2021 - 11:39 01-07-2020 - 02:15
CVE-2018-20232 3.5
The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved
25-03-2022 - 17:22 13-02-2019 - 18:29
CVE-2020-14164 4.3
The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field.
13-07-2020 - 21:18 01-07-2020 - 02:15
CVE-2019-20418 4.0
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint. The affected versions are before versio
09-07-2020 - 18:05 03-07-2020 - 01:15
CVE-2018-5231 5.0
The ForgotLoginDetails resource in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to perform a denial of servic
25-03-2022 - 17:22 16-05-2018 - 13:29
CVE-2019-20411 4.3
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2
30-03-2022 - 13:16 29-06-2020 - 06:15
CVE-2019-20897 4.0
The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and
30-03-2022 - 13:21 13-07-2020 - 01:15
CVE-2019-20416 3.5
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3
07-07-2020 - 18:25 30-06-2020 - 03:15
CVE-2019-20419 4.4
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to execute arbitrary code via a DLL hijacking vulnerability in Tomcat. The affected versions are before version 8.5.5, and from version 8.6.0 before 8.7.2.
30-03-2022 - 13:21 03-07-2020 - 02:15
CVE-2019-20898 5.0
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
21-07-2021 - 11:39 13-07-2020 - 01:15
CVE-2019-20901 5.8
The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the o
25-03-2022 - 18:14 13-07-2020 - 05:15
CVE-2019-3399 5.0
The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check.
25-03-2022 - 17:20 30-04-2019 - 16:29
CVE-2019-8443 6.8
The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades admin
22-04-2022 - 20:10 22-05-2019 - 18:29
CVE-2019-20106 4.0
Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions
30-03-2022 - 13:20 06-02-2020 - 03:15
CVE-2019-8442 5.0
The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF direct
22-04-2022 - 20:10 22-05-2019 - 18:29
CVE-2019-20413 5.0
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability on the UserPickerBrowser.jspa page. The affected versions are before version 7.13.9
30-03-2022 - 13:16 29-06-2020 - 06:15
CVE-2019-20402 4.0
Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability.
24-08-2020 - 17:37 06-02-2020 - 03:15
CVE-2019-8449 5.0
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
01-01-2022 - 20:19 11-09-2019 - 14:15
CVE-2018-5232 4.3
The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuetype parameter.
25-03-2022 - 17:22 18-07-2018 - 14:29
CVE-2019-20417 5.8
NOTE: This candidate is a duplicate of CVE-2019-15011. All CVE users should reference CVE-2019-15011 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
30-03-2022 - 13:20 02-07-2020 - 01:15
CVE-2020-4024 3.5
The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerabi
30-03-2022 - 13:21 01-07-2020 - 02:15
CVE-2018-20826 4.0
The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check.
09-10-2019 - 23:39 09-08-2019 - 20:15
CVE-2018-20824 4.3
The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter.
06-05-2019 - 00:32 03-05-2019 - 20:29
CVE-2019-3401 5.0
The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
25-03-2022 - 17:20 22-05-2019 - 18:29
CVE-2019-20408 5.0
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist
08-07-2020 - 18:31 01-07-2020 - 02:15
CVE-2019-20412 5.0
The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of
30-03-2022 - 13:16 29-06-2020 - 06:15
CVE-2019-3403 5.0
The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
25-03-2022 - 17:20 22-05-2019 - 18:29
CVE-2018-5230 4.3
The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to inject arbitrary HTML or JavaScript vi
25-03-2022 - 17:22 14-05-2018 - 13:29
CVE-2019-20410 4.0
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. The affected versions are before version 7.6.17, from vers
30-03-2022 - 13:16 29-06-2020 - 06:15
CVE-2019-3402 4.3
The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName
25-03-2022 - 17:20 22-05-2019 - 18:29
CVE-2019-20414 3.5
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9,
30-03-2022 - 13:16 29-06-2020 - 07:15
CVE-2019-20409 7.5
The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.0 allowed remote attackers to gain remote code execution if they were able to exploit a server side template injection vulnerability.
06-07-2020 - 15:00 23-06-2020 - 06:15
CVE-2019-20415 4.3
Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0
30-03-2022 - 13:14 30-06-2020 - 03:15
CVE-2019-20899 5.0
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from ver
30-03-2022 - 13:21 13-07-2020 - 01:15
CVE-2020-14184 3.5
Affected versions of Atlassian Jira Server allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in Jira issue filter export files. The affected versions are before 8.5.9, from version 8.6.0 befo
25-03-2022 - 18:14 12-10-2020 - 04:15
CVE-2020-14185 5.0
Affected versions of Jira Server allow remote unauthenticated attackers to enumerate issue keys via a missing permissions check in the ActionsAndOperations resource. The affected versions are before 7.13.18, from version 8.0.0 before 8.5.9, and from
25-03-2022 - 18:14 15-10-2020 - 22:15
CVE-2020-36231 4.0
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.
30-03-2022 - 13:21 02-02-2021 - 00:15
CVE-2020-36235 5.0
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version
25-03-2022 - 18:14 15-02-2021 - 00:15
CVE-2020-36236 4.3
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected ver
30-03-2022 - 13:21 15-02-2021 - 00:15
CVE-2021-39127 5.0
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from v
30-03-2022 - 13:21 21-10-2021 - 03:15
CVE-2021-41308 4.0
Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint.
30-03-2022 - 13:21 26-10-2021 - 05:15
CVE-2021-41307 5.0
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget
25-03-2022 - 18:14 26-10-2021 - 05:15
CVE-2021-41306 5.0
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected vers
03-05-2022 - 16:04 26-10-2021 - 05:15
CVE-2021-41305 5.0
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadge
03-05-2022 - 16:04 26-10-2021 - 05:15
CVE-2021-43944 6.5
This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator pe
25-03-2022 - 18:14 08-03-2022 - 02:15
Back to Top Mark selected
Back to Top