CVSS: 5.3EPSS: 97%CPEs: 6EXPL: 5CVE-2021-26086 – Atlassian Jira Server and Data Center Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2021-26086
16 Aug 2021 — Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1. Las versiones afectadas de Atlassian Jira Server y Data Center, permiten a atacantes remotos leer archivos particulares por medio de una vulnerabilidad de salto de ruta en el endpoint /WEB-INF/web.xml. Las versione... • https://packetstorm.news/files/id/164405 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 1%CPEs: 6EXPL: 0CVE-2020-36239 – Jira Ehcache RMI Missing Authentication
https://notcve.org/view.php?id=CVE-2020-36239
27 Jul 2021 — Jira Data Center, Jira Core Data Center, Jira Software Data Center from version 6.3.0 before 8.5.16, from 8.6.0 before 8.13.8, from 8.14.0 before 8.17.0 and Jira Service Management Data Center from version 2.0.2 before 4.5.16, from version 4.6.0 before 4.13.8, and from version 4.14.0 before 4.17.0 exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011[0][1], could execute arbitrary code of their choice in Jira through deserialization due to... • https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html • CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 6EXPL: 0CVE-2021-26083
https://notcve.org/view.php?id=CVE-2021-26083
20 Jul 2021 — Export HTML Report in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability. Una exportación de Informes HTML en Atlassian Jira Server y Jira Data Center versiones anteriores a 8.5.14, desde versión 8.6.0 anteriores a 8.13.6, y desde versión 8.14.0 anteriores a 8.16.1, permite a atacantes remotos inyectar HTML o Java... • https://jira.atlassian.com/browse/JRASERVER-72213 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 6EXPL: 0CVE-2021-26082
https://notcve.org/view.php?id=CVE-2021-26082
20 Jul 2021 — The XML Export in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a stored cross site scripting vulnerability. Una Exportación XML en Atlassian Jira Server y Jira Data Center versiones anteriores a 8.5.14, desde versión 8.6.0 anteriores a 8.13.6, y desde versión 8.14.0 anteriores a 8.17.0, permite a atacantes remotos inyectar HTML o JavaScript arbitrari... • https://jira.atlassian.com/browse/JRASERVER-72393 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-26081
https://notcve.org/view.php?id=CVE-2021-26081
20 Jul 2021 — REST API in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to enumerate usernames via a Sensitive Data Exposure vulnerability in the `/rest/api/latest/user/avatar/temporary` endpoint. Una API REST en Atlassian Jira Server y Jira Data Center versiones anteriores a 8.5.14, desde versión 8.6.0 anteriores a 8.13.6, y desde versión 8.14.0 anteriores a 8.16.1, permite a atacantes remotos enumerar nom... • https://jira.atlassian.com/browse/JRASERVER-72499 •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2021-26079
https://notcve.org/view.php?id=CVE-2021-26079
07 Jun 2021 — The CardLayoutConfigTable component in Jira Server and Jira Data Center before version 8.5.15, and from version 8.6.0 before version 8.13.7, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. El componente CardLayoutConfigTable en Jira Server y Jira Data Center versiones anteriores a 8.5.15, y desde versiones 8.6.0 anteriores a versiones 8.13.7, y desde versiones 8.14.0v anteriores a 8.17.0, permite a atacantes... • https://jira.atlassian.com/browse/JRASERVER-72396 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2021-26080
https://notcve.org/view.php?id=CVE-2021-26080
07 Jun 2021 — EditworkflowScheme.jspa in Jira Server and Jira Data Center before version 8.5.14, and from version 8.6.0 before version 8.13.6, and from 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. El archivo EditworkflowScheme.jspa en Jira Server y Jira Data Center versiones anteriores a 8.5.14, y desde versiones 8.6.0 anteriores a versiones 8.13.6, y desde versiones 8.14.0 anteriores a 8.16.1, permite a atacantes remotos inyectar HTML... • https://jira.atlassian.com/browse/JRASERVER-72432 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 96%CPEs: 6EXPL: 0CVE-2020-36289
https://notcve.org/view.php?id=CVE-2020-36289
12 May 2021 — Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1. Las versiones afectadas de Atlassian Jira Server y Data Center permiten a un usuario no autenticado enumerar usuarios a través de una vulnerabilidad de divulgación de información e... • https://jira.atlassian.com/browse/JRASERVER-71559 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-26076
https://notcve.org/view.php?id=CVE-2021-26076
14 Apr 2021 — The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn which mode a user is editing in due to the cookie not being set with a secure attribute if Jira was configured to use https. La cookie jira.editor.user.mode ajustada por Jira Editor Plugin en Jira Server y Data Cent... • https://jira.atlassian.com/browse/JRASERVER-72252 •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-26075
https://notcve.org/view.php?id=CVE-2021-26075
14 Apr 2021 — The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated attackers to obtain the full path of the Jira application data directory via an information disclosure vulnerability in the error message when presented with an invalid filename. El recurso de rest AttachTemporaryFile del plugin de importadores de Jira en Jira Server y Data Center versiones anter... • https://jira.atlassian.com/browse/JRASERVER-72316 •