CVSS: 9.0EPSS: 23%CPEs: 12EXPL: 0CVE-2019-15001 – Jira Server / Data Center Template Injection
https://notcve.org/view.php?id=CVE-2019-15001
19 Sep 2019 — The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request. El plugin Jira Importers en Atlassian Jira Server y Data Cente desde la versión 7.0.10 anterior a 7.6.16, desde ... • http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 94%CPEs: 1EXPL: 4CVE-2019-8451
https://notcve.org/view.php?id=CVE-2019-8451
11 Sep 2019 — The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class. El recurso /plugins/servlet/gadgets/makeRequest en Jira versiones anteriores a 8.4.0, permite a atacantes remotos acceder al contenido de recursos de la red interna por medio de una vulnerabilidad de tipo Server Side Request Forgery (SSRF) debido a un err... • https://github.com/jas502n/CVE-2019-8451 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 1CVE-2019-14998
https://notcve.org/view.php?id=CVE-2019-14998
11 Sep 2019 — The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via "cookie tossing" a CSRF cookie from a subdomain of a Jira instance. La implementación de la protección de Cross-Site Request Forgery (CSRF) de una acción de Webwork en Jira versiones anteriores a 8.4.0, permite a atacantes remotos omitir su protección mediante el "cookie tossing" de una cookie CSRF desde un subdominio de una instancia de Jira. • https://jira.atlassian.com/browse/JRASERVER-69791 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 3%CPEs: 1EXPL: 2CVE-2019-14995
https://notcve.org/view.php?id=CVE-2019-14995
11 Sep 2019 — The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to determine if an attachment with a specific name exists and if an issue key is valid via a missing permissions check. El recurso /rest/api/1.0/render en Jira versiones anteriores a 8.4.0, permite a atacantes anónimos remotos determinar si existe un archivo adjunto con un nombre específico y si una clave de problema es válida mediante una falta de comprobación de permisos. • https://jira.atlassian.com/browse/JRASERVER-69792 • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 86%CPEs: 1EXPL: 1CVE-2019-8446
https://notcve.org/view.php?id=CVE-2019-8446
23 Aug 2019 — The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check. El recurso / rest / issueNav / 1 / issueTable en Jira antes de la versión 8.3.2 permite a los atacantes remotos enumerar nombres de usuario mediante una verificación de autorización incorrecta. • https://jira.atlassian.com/browse/JRASERVER-69777 • CWE-863: Incorrect Authorization •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2019-8444
https://notcve.org/view.php?id=CVE-2019-8444
23 Aug 2019 — The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification. l componente wikirenderer en Jira antes de la versión 7.13.6 y desde la versión 8.0.0 antes de la versión 8.3.2 permite a los atacantes remotos inyectar HTML o JavaScript arbitrario a través de una vulnerabilidad de secuencias de comandos de sitios cruzados (XSS) en... • https://jira.atlassian.com/browse/JRASERVER-69779 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 94%CPEs: 5EXPL: 3CVE-2019-11581 – Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-11581
23 Jul 2019 — There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability. Se presentó una vulnerabilidad de iny... • https://github.com/jas502n/CVE-2019-11581 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2019-3400
https://notcve.org/view.php?id=CVE-2019-3400
03 May 2019 — The labels gadget in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jql parameter. El gadget de etiquetas en Jira, en versiones anteriores a 7.13.2 y a partir de la versión 8.0.0 pero antes de la versión 8.0.2, permite a los atacantes remotos inyectar HTML o JavaScript arbitrarios a través de una vulnerabilidad de XSS en el parámetro jql. • http://www.securityfocus.com/bid/108168 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 14EXPL: 0CVE-2018-20239
https://notcve.org/view.php?id=CVE-2018-20239
30 Apr 2019 — Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3... • https://ecosystem.atlassian.net/browse/APL-1373 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2018-13403
https://notcve.org/view.php?id=CVE-2018-13403
13 Feb 2019 — The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a saved filter when displayed on a Jira dashboard. El gadget de estadísticas de filtro en dos dimensiones en Atlassian Jira, en versiones anteriores a la 7.6.10, desde la versión 7.7.0 hasta antes de la 7.12.4 y d... • https://jira.atlassian.com/browse/JRASERVER-68526 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •