CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2020-36288
https://notcve.org/view.php?id=CVE-2020-36288
14 Apr 2021 — The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused by parameter pollution. La visualización de búsqueda y navegación de problemas en Jira Server y Data Center versiones anteriores a 8.5.12, desde versión 8.6.0 versiones anteriores a 8.13.4 y desde versión 8.14.0 ... • https://jira.atlassian.com/browse/JRASERVER-72115 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 67%CPEs: 4EXPL: 1CVE-2020-36287
https://notcve.org/view.php?id=CVE-2020-36287
09 Apr 2021 — The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check. El recurso de preferencia de gadgets del panel de control del plugin de gadgets de Atlassian usado en Jira Server y Jira Data Center versiones anteriores a 8.13.5, y desde versión 8.14.0 anterior a 8.15.1, permite a atacantes r... • https://github.com/f4rber/CVE-2020-36287 • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2020-36286
https://notcve.org/view.php?id=CVE-2020-36286
01 Apr 2021 — The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to publicly visible issue field. La función de búsqueda de membersOf JQL en Jira Server y Data Center anterior a versión 8.5.13, desde versión 8.6.0 anterior a versión 8.13.5 y desde versión 8.14.0 anterior a versión 8.15.1, permi... • https://jira.atlassian.com/browse/JRASERVER-72272 •
CVSS: 3.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-26071
https://notcve.org/view.php?id=CVE-2021-26071
01 Apr 2021 — The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability. El recurso SetFeatureEnabled.jspa en Jira Server y Data Center anterior a versión 8.5.13, desde versión 8.6.0 anterior a versión 8.13.5 y desde versión 8.14.0 anterior a versión 8.15.1, permite q... • https://jira.atlassian.com/browse/JRASERVER-72233 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2020-36238
https://notcve.org/view.php?id=CVE-2020-36238
01 Apr 2021 — The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check. El recurso /rest/api/1.0/render en Jira Server y Data Center anterior a versión 8.5.13, desde versión 8.6.0 anterior a versión 8.13.5 y desde versión 8.14.0 anterior a versión 8.15.1, permite a atacantes anónimos remotos deter... • https://jira.atlassian.com/browse/JRASERVER-72249 • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 3%CPEs: 6EXPL: 0CVE-2021-26069
https://notcve.org/view.php?id=CVE-2021-26069
22 Mar 2021 — Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations API endpoint. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0. Versiones afectadas de Atlassian Jira Server y Data Center, permiten a atacantes remotos no autenticados descargar archivos t... • https://jira.atlassian.com/browse/JRASERVER-72010 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.0EPSS: 0%CPEs: 11EXPL: 0CVE-2020-36232
https://notcve.org/view.php?id=CVE-2020-36232
22 Feb 2021 — The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled. La clase MessageBundleWhiteList de atlassian-gadgets versiones anteriores a 4.2.37, desde versiones ... • https://jira.atlassian.com/browse/JRASERVER-72025 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 85%CPEs: 6EXPL: 0CVE-2020-29453
https://notcve.org/view.php?id=CVE-2020-29453
18 Feb 2021 — The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center before version 8.5.11, from 8.6.0 before 8.13.3, and from 8.14.0 before 8.15.0 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. La clase CachingResourceDownloadRewriteRule en Jira Server y Jira Data Center versiones anteriores a 8.5.11, desde 8.6.0 anteriores a 8.13.3 y desde 8.14.0 anteriores a 8.15.0, permitía a atacantes remotos no au... • https://jira.atlassian.com/browse/JRASERVER-72014 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.8EPSS: 0%CPEs: 6EXPL: 0CVE-2020-36234
https://notcve.org/view.php?id=CVE-2020-36234
15 Feb 2021 — Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0. Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo Cross-Site Scripting (XSS... • https://jira.atlassian.com/browse/JRASERVER-72059 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •