CVE-2017-16865
https://notcve.org/view.php?id=CVE-2017-16865
The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information. El importador Trello en Atlassian Jira, en versiones anteriores a la 7.6.1, permite que atacantes remotos accedan al contenido de recursos de red internos mediante Server Side Request Forgery (SSRF). Cuando se ejecuta en un entorno como Amazon EC2, este error puede emplearse para acceder a un recurso de metadatos que proporciona credenciales de acceso y otro tipo de información potencialmente confidencial. • https://jira.atlassian.com/browse/JRASERVER-66642 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2017-16864
https://notcve.org/view.php?id=CVE-2017-16864
The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the orderby parameter. El recurso issue search en Atlassian Jira, en versiones anteriores a la 7.4.2, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el parámetro orderby. • http://www.securityfocus.com/bid/102505 https://jira.atlassian.com/browse/JRASERVER-66624 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-14594
https://notcve.org/view.php?id=CVE-2017-14594
The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version 7.3.0 before 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jqlQuery query parameter. El recurso printable searchrequest issue en Atlassian Jira antes de la versión 7.2.12 y desde la versión 7.3.0 hasta la 7.6.1 permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el parámetro query de jqlQuery. • https://jira.atlassian.com/browse/JRASERVER-66495 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-16862
https://notcve.org/view.php?id=CVE-2017-16862
The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery (CSRF) vulnerability. El recurso IncomingMailServers en Atlassian Jira, en versiones anteriores a la 7.6.2, permite que atacantes remotos modifiquen la configuración de lista blanca "incoming mail" mediante una vulnerabilidad de Cross-Site Request Forgery (CSRF). • http://www.securityfocus.com/bid/102506 https://jira.atlassian.com/browse/JRASERVER-66622 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2017-5983
https://notcve.org/view.php?id=CVE-2017-5983
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object. El complemento de JIRA Workflow Designer en Atlassian JIRA Server en versiones anteriores a 6.3.0 utiliza incorrectamente un analizador y deserializador XML, que permite a atacantes remotos ejecutar código arbitrario, leer archivos arbitrarios o provocar una denegación de servicio a través de un objeto Java serializado. • http://codewhitesec.blogspot.com/2017/04/amf.html http://www.securityfocus.com/bid/97379 https://confluence.atlassian.com/jira063/jira-security-advisory-2017-03-09-875604401.html https://jira.atlassian.com/browse/JRASERVER-64077 https://www.kb.cert.org/vuls/id/307983 • CWE-502: Deserialization of Untrusted Data •