CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-4027
https://notcve.org/view.php?id=CVE-2020-4027
01 Jul 2020 — Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version 7.4.5, and from version 7.5.0 before 7.5.1. Las versiones afectadas de Atlassian Confluence Server y Data Center permitían a los atacantes remotos con permisos de administración del sistema saltarse las mitigaciones de inyección de planti... • https://jira.atlassian.com/browse/CONFSERVER-59898 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-20406
https://notcve.org/view.php?id=CVE-2019-20406
06 Feb 2020 — The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, and from version 7.1.0 before version 7.1.1 allows local system attackers who have permission to write a DLL file in a directory in the global path environmental variable variable to inject code & escalate their privileges via a DLL hijacking vulnerability. El uso de Tomcat en Confluence en el sistema operativo Microsoft Windows antes de la versión 7.0.5 y desde la versión 7.1.0 antes de la versión 7.1.1, permi... • https://jira.atlassian.com/browse/CONFSERVER-59428 • CWE-427: Uncontrolled Search Path Element •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2019-15006 – Atlassian Confluence Man-In-The-Middle
https://notcve.org/view.php?id=CVE-2019-15006
19 Dec 2019 — There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence Previews plugin in Confluence Server and Confluence Data Center communicated with the Companion application via the atlassian-domain-for-localhost-connections-only.com domain name, the DNS A record of which points at 127.0.0.1. Additionally, a signed certificate f... • http://packetstormsecurity.com/files/155742/Atlassian-Confluence-Man-In-The-Middle.html • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2019-15005
https://notcve.org/view.php?id=CVE-2019-15005
08 Nov 2019 — The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center... • https://herolab.usd.de/security-advisories/usd-2019-0016 • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 78%CPEs: 3EXPL: 2CVE-2019-3394 – Confluence Server Local File Disclosure
https://notcve.org/view.php?id=CVE-2019-3394
29 Aug 2019 — There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An attacker with permission to editing a page is able to exploit this issue to read arbitrary file on the server under
CVSS: 9.0EPSS: 94%CPEs: 4EXPL: 6CVE-2019-3398 – Atlassian Confluence Server and Data Center Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2019-3398
18 Apr 2019 — Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server... • https://packetstorm.news/files/id/155235 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 94%CPEs: 4EXPL: 26CVE-2019-3396 – Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-3396
25 Mar 2019 — The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection. La macro de Widget Connector en Atlassian... • https://packetstorm.news/files/id/161065 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 12%CPEs: 4EXPL: 0CVE-2019-3395 – Atlassian Confluence SSRF / Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-3395
25 Mar 2019 — The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery. El endpoint WebDAV en Atlassian Confluence Server and Data Center en versiones anteriores a la 6.6.7 (la versión so... • https://jira.atlassian.com/browse/CONFSERVER-57971 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2018-13389
https://notcve.org/view.php?id=CVE-2018-13389
10 Jul 2018 — The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of application/rdf+xml. El recurso attachment en Atlassian Confluence en versiones anteriores a la 6.6.1 permite que atacantes remotos suplanten el contenido web en el navegador Mozilla Firefox mediante adjuntos que tienen un tipo de contenido de application/rdf+xml. • http://www.securityfocus.com/bid/104755 • CWE-20: Improper Input Validation •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18083
https://notcve.org/view.php?id=CVE-2017-18083
02 Feb 2018 — The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of an uploaded file. El recurso editinword en Atlassian Confluence Server, en versiones anteriores a la 6.4.0, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) a través del contenido de un archivo subido. • https://jira.atlassian.com/browse/CONFSERVER-54903 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •