CVE-2020-14168
https://notcve.org/view.php?id=CVE-2020-14168
The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability. El cliente de correo electrónico en Jira Server y Data Center versiones anteriores a 7.13.16, desde versiones 8.5.0 anteriores a 8.5.7, desde versiones 8.8.0 anteriores a 8.8.2 y desde versiones 8.9.0 anteriores a 8.9.1, permite a atacantes remotos acceder a correos electrónicos salientes entre una instancia de Jira y el servidor SMTP por medio de una vulnerabilidad de tipo man-in-the-middle (MITM) • https://jira.atlassian.com/browse/JRASERVER-71198 •
CVE-2020-14167
https://notcve.org/view.php?id=CVE-2020-14167
The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application's availability via an Denial of Service (DoS) vulnerability. El recurso MessageBundleResource en Jira Server y Data Center versiones anteriores a 7.13.4, desde versiones 8.5.0 anteriores a 8.5.5, desde versiones 8.8.0 anteriores a 8.8.2 y desde versiones 8.9.0 anteriores a 8.9.1, permite a atacantes remotos impactar la disponibilidad de la aplicación por medio de una vulnerabilidad de Denegación de Servicio (DoS) • https://jira.atlassian.com/browse/JRASERVER-71197 •
CVE-2020-14166 – Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS
https://notcve.org/view.php?id=CVE-2020-14166
The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file. El recurso /servicedesk/customer/portals en Jira Service Desk Server y Data Center versiones anteriores a 4.10.0, permite a atacantes remotos con privilegios de administrador de proyectos inyectar nombres HTML o JavaScript arbitrarios por medio de una vulnerabilidad de tipo Cross Site Scripting (XSS) mediante la carga de un archivo html Atlassian Jira Service Desk version 4.9.1 suffers from a cross site scripting vulnerability via a file upload. • https://www.exploit-db.com/exploits/49748 http://packetstormsecurity.com/files/162107/Atlassian-Jira-Service-Desk-4.9.1-Cross-Site-Scripting.html https://jira.atlassian.com/browse/JSDSERVER-6895 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-14165
https://notcve.org/view.php?id=CVE-2020-14165
The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability. El recurso UniversalAvatarResource.getAvatars en Jira Server and Data Center versiones anteriores a 8.9.0, permite a atacantes remotos obtener información sobre nombres de avatars de proyectos personalizados por medio de una vulnerabilidad de autorización inapropiada • https://jira.atlassian.com/browse/JRASERVER-71185 •
CVE-2020-14164
https://notcve.org/view.php?id=CVE-2020-14164
The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field. El recurso del editor WYSIWYG en Jira Server and Data Center versiones anteriores a 8.8.2, permite a atacantes remotos inyectar nombres HTML o JavaScript arbitrarios por medio de una vulnerabilidad de tipo Cross Site Scripting (XSS) al pegar un código javascript en el campo del editor • https://jira.atlassian.com/browse/JRASERVER-71184 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •