CVE-2021-39117
https://notcve.org/view.php?id=CVE-2021-39117
The AssociateFieldToScreens page in Atlassian Jira Server and Data Center before version 8.18.0 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability via the name of a custom field. La página AssociateFieldToScreens en Atlassian Jira Server y Data Center versiones anteriores a 8.18.0, permite a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo Cross-Site Scripting (XSS) por medio del nombre de un campo personalizado. • https://jira.atlassian.com/browse/JRASERVER-72597 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-39113
https://notcve.org/view.php?id=CVE-2021-39113
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0. Unas versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos anónimos seguir visualizando el contenido en caché incluso después de perder los permisos, por medio de una vulnerabilidad de Control de Acceso Roto en la funcionalidad allowlist. Las versiones afectadas son versiones anteriores a 8.13.9, y desde versiones 8.14.0 anteriores a 8.18.0. • https://jira.atlassian.com/browse/JRASERVER-72573 • CWE-613: Insufficient Session Expiration •
CVE-2017-18113
https://notcve.org/view.php?id=CVE-2017-18113
The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow library and other Jira dependencies. Atlassian-made functions or functions provided by 3rd party plugins are not affected by this fix. La clase DefaultOSWorkflowConfigurator en Jira Server y Jira Data Center versiones anteriores a 8.18.1, permite a atacantes remotos que pueden engañar a un administrador del sistema para importar su workflow malicioso para ejecutar código arbitrario a través de una vulnerabilidad de Ejecución de Código Remota (RCE). • https://jira.atlassian.com/browse/JRASERVER-72660 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2021-26078 – Atlassian Jira Server Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-26078
The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. El componente number range searcher en Jira Server y Jira Data Center versiones anteriores a 8.5.14, desde versiones 8.6.0 anteriores a versiones 8.13.6, y desde versiones 8.14.0 versiones anteriores a 8.16.1 permite a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo cross site scripting (XSS) Atlassian Jira Server / Data Center version 8.16.0 suffer from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/50068 http://packetstormsecurity.com/files/163289/Atlassian-Jira-Server-Data-Center-8.16.0-Cross-Site-Scripting.html https://jira.atlassian.com/browse/JRASERVER-72392 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-36287
https://notcve.org/view.php?id=CVE-2020-36287
The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check. El recurso de preferencia de gadgets del panel de control del plugin de gadgets de Atlassian usado en Jira Server y Jira Data Center versiones anteriores a 8.13.5, y desde versión 8.14.0 anterior a 8.15.1, permite a atacantes remotos y anónimos obtener configuraciones relacionadas con gadgets por medio de una falta de comprobación de permisos • https://github.com/f4rber/CVE-2020-36287 https://jira.atlassian.com/browse/JRASERVER-72258 • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •