CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2016-6283 – Atlassian Confluence < 5.10.6 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2016-6283
Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.10.6 allows remote attackers to inject arbitrary web script or HTML via the newFileName parameter to pages/doeditattachment.action. Vulnerabilidad de XSS en Atlassian Confluence en versiones anteriores a 5.10.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro newFileName para pages/doeditattachment.action. • https://www.exploit-db.com/exploits/40989 http://packetstormsecurity.com/files/140363/Atlassian-Confluence-5.9.12-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2017/Jan/12 http://seclists.org/fulldisclosure/2017/Jan/3 http://www.securityfocus.com/bid/95288 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 30EXPL: 0CVE-2016-6668
https://notcve.org/view.php?id=CVE-2016-6668
The Atlassian Hipchat Integration Plugin for Bitbucket Server 6.26.0 before 6.27.5, 6.28.0 before 7.3.7, and 7.4.0 before 7.8.17; Confluence HipChat plugin 6.26.0 before 7.8.17; and HipChat for JIRA plugin 6.26.0 before 7.8.17 allows remote attackers to obtain the secret key for communicating with HipChat instances by reading unspecified pages. El Atlassian Hipchat Integration Plugin para Bitbucket Server 6.26.0 en versiones anteriores a 6.27.5, 6.28.0 en versiones anteriores a 7.3.7 y 7.4.0 en versiones anteriores a 7.8.17; pllugin HipChat para Confluence 6.26.0 en versiones anteriores a 7.8.17; y plugin HipChat para JIRA 6.26.0 en versiones anteriores a 7.8.17 permite a atacantes remotos obtener la clave secreta para comunicarse con instancias HipChat leyendo páginas no especificadas. • http://packetstormsecurity.com/files/139004/Atlassian-HipChat-Secret-Key-Disclosure.html http://www.securityfocus.com/archive/1/539530/100/0/threaded http://www.securityfocus.com/bid/93159 https://confluence.atlassian.com/bitbucketserver/bitbucket-server-security-advisory-2016-09-21-840698321.html https://confluence.atlassian.com/doc/confluence-security-advisory-2016-09-21-849052104.html https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2016-09-21-849052099.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2015-8398 – Atlassian Confluence 5.2/5.8.14/5.8.15 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-8398
Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.8.17 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to rest/prototype/1/session/check. Vulnerabilidad de XSS en Atlassian Confluence en versiones anteriores a 5.8.17 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de PATH_INFO a rest/prototype/1/session/check. Atlassian Confluence suffers from cross site scripting and insecure direct object reference vulnerabilities. The cross site scripting affects versions 5.2, 5.8.14, and 5.8.15. The reference vulnerability affects versions 5.9.1, 5.8.14, and 5.8.15. • https://www.exploit-db.com/exploits/39170 http://www.securityfocus.com/archive/1/537232/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 96%CPEs: 1EXPL: 1CVE-2015-8399 – Atlassian Confluence 5.2/5.8.14/5.8.15 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-8399
Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action. Atlassian Confluence en versiones anteriores a 5.8.17 permite a usuarios remotos autenticados leer archivos de configuración a través del parámetro decoratorName en (1) spaces/viewdefaultdecorator.action o (2) admin/viewdefaultdecorator.action. Atlassian Confluence suffers from cross site scripting and insecure direct object reference vulnerabilities. The cross site scripting affects versions 5.2, 5.8.14, and 5.8.15. The reference vulnerability affects versions 5.9.1, 5.8.14, and 5.8.15. • https://www.exploit-db.com/exploits/39170 http://www.securityfocus.com/archive/1/537232/100/0/threaded • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 3CVE-2012-6342 – Atlassian Confluence 3.0 Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2012-6342
Cross-site request forgery (CSRF) vulnerability in logout.action in Atlassian Confluence 3.4.6 allows remote attackers to hijack the authentication of administrators for requests that logout the user via a comment. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en logout.action en Confluence versión 3.4.6 de Atlassian, permite a los atacantes remotos secuestrar la autenticación de administradores para las peticiones que cierran la sesión del usuario por medio de un comentario. Atlassian Confluence version 3.0 suffers from multiple cross site request forgery vulnerabilities. The vendor has decided not to fix these issues. • http://archives.neohapsis.com/archives/bugtraq/2013-01/0066.html http://packetstormsecurity.com/files/116829/Atlassian-Confluence-3.0-Cross-Site-Request-Forgery.html http://www.halock.com/blog/cve-2012-6342-atlassian-confluence-multiple-cross-site-request-forgery-csrf-vulnerabilities http://www.securityfocus.com/archive/1/524217/30/450/threaded https://jira.atlassian.com/browse/CONFSERVER-22784 • CWE-352: Cross-Site Request Forgery (CSRF) •