CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29444
https://notcve.org/view.php?id=CVE-2020-29444
07 May 2021 — Affected versions of Team Calendar in Confluence Server before 7.11.0 allow attackers to inject arbitrary HTML or Javascript via a Cross Site Scripting Vulnerability in admin global setting parameters. Unas versiones afectadas de Team Calendar en Confluence Server anteriores a 7.11.0, permiten a atacantes inyectar HTML o Javascript arbitrario por medio de una vulnerabilidad de tipo Cross Site Scripting en parámetros de configuración global de administración • https://jira.atlassian.com/browse/CONFSERVER-61266 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 8%CPEs: 2EXPL: 0CVE-2021-26072
https://notcve.org/view.php?id=CVE-2021-26072
01 Apr 2021 — The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6 allowed remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability. El plugin WidgetConnector en Confluence Server y Confluence Data Center anterior a versión 5.8.6, permitía a atacantes remotos manipular el contenido de los recursos de la red interna a través de una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) ciega del servi... • https://jira.atlassian.com/browse/CONFSERVER-61399 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2020-29448
https://notcve.org/view.php?id=CVE-2020-29448
18 Feb 2021 — The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center before version 6.13.18, from 6.14.0 before 7.4.6, and from 7.5.0 before 7.8.3 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. La clase ConfluenceResourceDownloadRewriteRule en Confluence Server y Confluence Data Center versiones anteriores a 6.13.18, desde 6.14.0 anteriores a 7.4.6 y desde 7.5.0 anteriores a 7.8.3, permit... • https://jira.atlassian.com/browse/CONFSERVER-60469 •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29450
https://notcve.org/view.php?id=CVE-2020-29450
19 Jan 2021 — Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0. Las versiones afectadas de Atlassian Confluence Server y Data Center permiten a atacantes remotos afectar la disponibilidad de la aplicación por medio de una vulnerabilidad de Denegación de Servicio (DoS) en la funcionalidad de carga del avatar. Las versiones a... • https://jira.atlassian.com/browse/CONFSERVER-60854 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2020-14175
https://notcve.org/view.php?id=CVE-2020-14175
24 Jul 2020 — Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in user macro parameters. The affected versions are before version 7.4.2, and from version 7.5.0 before 7.5.2. Las versiones afectadas de Atlassian Confluence Server y Data Center, permiten a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo Cross-Site Scripting (XSS) en los parámetros de ma... • https://jira.atlassian.com/browse/CONFSERVER-60102 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-4027
https://notcve.org/view.php?id=CVE-2020-4027
01 Jul 2020 — Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version 7.4.5, and from version 7.5.0 before 7.5.1. Las versiones afectadas de Atlassian Confluence Server y Data Center permitían a los atacantes remotos con permisos de administración del sistema saltarse las mitigaciones de inyección de planti... • https://jira.atlassian.com/browse/CONFSERVER-59898 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2019-20102
https://notcve.org/view.php?id=CVE-2019-20102
22 Apr 2020 — The attachment-uploading feature in Atlassian Confluence Server from version 6.14.0 through version 6.14.3, and version 6.15.0 before version 6.15.5 allows remote attackers to achieve stored cross-site- scripting (SXSS) via a malicious attachment with a modified `mimeType` parameter. La funcionalidad de carga de archivos adjuntos en Atlassian Confluence Server desde versión 6.14.0 hasta versión 6.14.3, y versión 6.15.0 anterior a versión 6.15.5, permite a atacantes remotos lograr un ataque de tipo cross-sit... • https://jira.atlassian.com/browse/CONFSERVER-59358 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-20406
https://notcve.org/view.php?id=CVE-2019-20406
06 Feb 2020 — The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, and from version 7.1.0 before version 7.1.1 allows local system attackers who have permission to write a DLL file in a directory in the global path environmental variable variable to inject code & escalate their privileges via a DLL hijacking vulnerability. El uso de Tomcat en Confluence en el sistema operativo Microsoft Windows antes de la versión 7.0.5 y desde la versión 7.1.0 antes de la versión 7.1.1, permi... • https://jira.atlassian.com/browse/CONFSERVER-59428 • CWE-427: Uncontrolled Search Path Element •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2019-15006 – Atlassian Confluence Man-In-The-Middle
https://notcve.org/view.php?id=CVE-2019-15006
19 Dec 2019 — There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence Previews plugin in Confluence Server and Confluence Data Center communicated with the Companion application via the atlassian-domain-for-localhost-connections-only.com domain name, the DNS A record of which points at 127.0.0.1. Additionally, a signed certificate f... • http://packetstormsecurity.com/files/155742/Atlassian-Confluence-Man-In-The-Middle.html • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 8.8EPSS: 78%CPEs: 3EXPL: 2CVE-2019-3394 – Confluence Server Local File Disclosure
https://notcve.org/view.php?id=CVE-2019-3394
29 Aug 2019 — There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An attacker with permission to editing a page is able to exploit this issue to read arbitrary file on the server under