CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2019-20419
https://notcve.org/view.php?id=CVE-2019-20419
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to execute arbitrary code via a DLL hijacking vulnerability in Tomcat. The affected versions are before version 8.5.5, and from version 8.6.0 before 8.7.2. Las versiones afectadas de Atlassian Jira Server y Data Center, permiten a atacantes remotos ejecutar código arbitrario por medio de una vulnerabilidad de secuestro de DLL en Tomcat. Las versiones afectadas son las versiones anteriores a 8.5.5 y desde la versión 8.6.0 anteriores a 8.7.2 • https://jira.atlassian.com/browse/JRASERVER-70945 • CWE-427: Uncontrolled Search Path Element •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 1CVE-2019-20099
https://notcve.org/view.php?id=CVE-2019-20099
The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present. El componte VerifyPopServerConnection!add.jspa en Atlassian Jira Server and Data Center anterior a versión 8.7.0, es vulnerable a un ataque de tipo cross-site request forgery (CSRF). • https://jira.atlassian.com/browse/JRASERVER-70606 https://www.tenable.com/security/research/tra-2020-05 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 1CVE-2019-20098
https://notcve.org/view.php?id=CVE-2019-20098
The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present. El componente VerifySmtpServerConnection!add.jspa en Atlassian Jira Server and Data Center anterior a versión 8.7.0, es vulnerable a un ataque de tipo cross-site request forgery (CSRF). • https://jira.atlassian.com/browse/JRASERVER-70605 https://www.tenable.com/security/research/tra-2020-05 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-20401
https://notcve.org/view.php?id=CVE-2019-20401
Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery (CSRF) vulnerabilities. Varios recursos de configuración de instalación en Jira antes de la versión 8.5.2, permiten a atacantes remotos configurar una instancia de Jira, que aún no ha terminado de ser instalada, por medio de vulnerabilidades de tipo cross-site request forgery (CSRF). • https://jira.atlassian.com/browse/JRASERVER-70406 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 1%CPEs: 12EXPL: 0CVE-2019-15001
https://notcve.org/view.php?id=CVE-2019-15001
The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request. El plugin Jira Importers en Atlassian Jira Server y Data Cente desde la versión 7.0.10 anterior a 7.6.16, desde 7.7.0 anterior a 7.13.8, desde 8.0.0 anterior a 8.1.3, desde 8.2.0 anterior a 8.2.5, desde 8.3.0 anterior a 8.3.4 y desde 8.4.0 anteriores a 8.4.1, permite a atacantes remotos con permisos de Administrador conseguir la ejecución de código remota por medio de una vulnerabilidad de inyección de plantilla mediante el uso de una petición PUT diseñada • http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html https://jira.atlassian.com/browse/JRASERVER-69933 https://seclists.org/bugtraq/2019/Sep/42 • CWE-94: Improper Control of Generation of Code ('Code Injection') •