CVE-2019-20410
https://notcve.org/view.php?id=CVE-2019-20410
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. The affected versions are before version 7.6.17, from version 7.7.0 before 7.13.9, and from version 8.0.0 before 8.4.2. Las versiones afectadas de Atlassian Jira Server y Data Center, permiten a atacantes remotos visualizar información confidencial por medio de una vulnerabilidad de divulgación de información en la funcionalidad de restricción de comentarios. Las versiones afectadas son anteriores a la versión 7.6.17, desde la versión 7.7.0 anteriores a 7.13.9, y desde la versión 8.0.0 anteriores a 8.4.2 • https://jira.atlassian.com/browse/JRASERVER-70884 •
CVE-2020-4021
https://notcve.org/view.php?id=CVE-2020-4021
Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view. Unas versiones afectadas son: versiones anteriores a 8.5.5, y desde versiones 8.6.0 anteriores a 8.8.1 de Atlassian Jira Server y Data Center, permiten a atacantes remotos inyectar HTML o Javascript arbitrario por medio de una vulnerabilidad de tipo cross site scripting (XSS) en la vista de exportación XML. • https://jira.atlassian.com/browse/JRASERVER-70923 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-20407
https://notcve.org/view.php?id=CVE-2019-20407
The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check. Se ha identificado una vulnerabilidad en el servidor de aplicaciones SPPA-T3000 (todas las versiones anteriores a la versión Service Pack R8.2 SP2). Un atacante con acceso de red al servidor de aplicaciones podría obtener acceso a registros y archivos de configuración enviando paquetes específicamente diseñados a 80 / tcp. Tenga en cuenta que un atacante debe tener acceso de red al Servidor de aplicaciones para aprovechar esta vulnerabilidad. En el momento de la publicación del aviso no se conocía la explotación pública de esta vulnerabilidad de seguridad. • https://jira.atlassian.com/browse/JRASERVER-70599 • CWE-862: Missing Authorization •
CVE-2019-20100
https://notcve.org/view.php?id=CVE-2019-20100
The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present. El plugin Atlassian Application Links es vulnerable a un ataque de tipo cross-site request forgery (CSRF). • https://ecosystem.atlassian.net/browse/APL-1390 https://jira.atlassian.com/browse/JRASERVER-70607 https://www.tenable.com/security/research/tra-2020-06 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2019-20099
https://notcve.org/view.php?id=CVE-2019-20099
The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present. El componte VerifyPopServerConnection!add.jspa en Atlassian Jira Server and Data Center anterior a versión 8.7.0, es vulnerable a un ataque de tipo cross-site request forgery (CSRF). • https://jira.atlassian.com/browse/JRASERVER-70606 https://www.tenable.com/security/research/tra-2020-05 • CWE-352: Cross-Site Request Forgery (CSRF) •