CVE-2019-20099
https://notcve.org/view.php?id=CVE-2019-20099
The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present. El componte VerifyPopServerConnection!add.jspa en Atlassian Jira Server and Data Center anterior a versión 8.7.0, es vulnerable a un ataque de tipo cross-site request forgery (CSRF). • https://jira.atlassian.com/browse/JRASERVER-70606 https://www.tenable.com/security/research/tra-2020-05 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2019-20098
https://notcve.org/view.php?id=CVE-2019-20098
The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present. El componente VerifySmtpServerConnection!add.jspa en Atlassian Jira Server and Data Center anterior a versión 8.7.0, es vulnerable a un ataque de tipo cross-site request forgery (CSRF). • https://jira.atlassian.com/browse/JRASERVER-70605 https://www.tenable.com/security/research/tra-2020-05 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2019-20404
https://notcve.org/view.php?id=CVE-2019-20404
The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability. La API en Atlassian Jira Server y Data Center antes de la versión 8.6.0, permite a atacantes remotos autenticados determinar los títulos de proyectos a los que no tienen acceso por medio de una vulnerabilidad de autorización inapropiada. • https://jira.atlassian.com/browse/JRASERVER-70569 •
CVE-2019-20106
https://notcve.org/view.php?id=CVE-2019-20106
Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug. Las propiedades de comentarios en Atlassian Jira Server y Data Center antes de la versión 7.13.12, desde versión 8.0.0 antes de la versión 8.5.4 y versión 8.6.0 antes de la versión 8.6.1, permiten a atacantes remotos hacer comentarios sobre un ticket para el que no tienen permisos de comentarios por medio de un bug de control de acceso roto. • https://jira.atlassian.com/browse/JRASERVER-70543 • CWE-276: Incorrect Default Permissions •