CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 3CVE-2021-26078 – Atlassian Jira Server Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-26078
07 Jun 2021 — The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. El componente number range searcher en Jira Server y Jira Data Center versiones anteriores a 8.5.14, desde versiones 8.6.0 anteriores a versiones 8.13.6, y desde versiones 8.14.0 versiones anteriores a 8.16.1 permite a at... • https://packetstorm.news/files/id/163289 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 96%CPEs: 6EXPL: 0CVE-2020-36289
https://notcve.org/view.php?id=CVE-2020-36289
12 May 2021 — Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1. Las versiones afectadas de Atlassian Jira Server y Data Center permiten a un usuario no autenticado enumerar usuarios a través de una vulnerabilidad de divulgación de información e... • https://jira.atlassian.com/browse/JRASERVER-71559 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-26076
https://notcve.org/view.php?id=CVE-2021-26076
14 Apr 2021 — The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn which mode a user is editing in due to the cookie not being set with a secure attribute if Jira was configured to use https. La cookie jira.editor.user.mode ajustada por Jira Editor Plugin en Jira Server y Data Cent... • https://jira.atlassian.com/browse/JRASERVER-72252 •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-26075
https://notcve.org/view.php?id=CVE-2021-26075
14 Apr 2021 — The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated attackers to obtain the full path of the Jira application data directory via an information disclosure vulnerability in the error message when presented with an invalid filename. El recurso de rest AttachTemporaryFile del plugin de importadores de Jira en Jira Server y Data Center versiones anter... • https://jira.atlassian.com/browse/JRASERVER-72316 •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2020-36288
https://notcve.org/view.php?id=CVE-2020-36288
14 Apr 2021 — The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused by parameter pollution. La visualización de búsqueda y navegación de problemas en Jira Server y Data Center versiones anteriores a 8.5.12, desde versión 8.6.0 versiones anteriores a 8.13.4 y desde versión 8.14.0 ... • https://jira.atlassian.com/browse/JRASERVER-72115 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 1CVE-2020-36287
https://notcve.org/view.php?id=CVE-2020-36287
09 Apr 2021 — The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check. El recurso de preferencia de gadgets del panel de control del plugin de gadgets de Atlassian usado en Jira Server y Jira Data Center versiones anteriores a 8.13.5, y desde versión 8.14.0 anterior a 8.15.1, permite a atacantes r... • https://github.com/f4rber/CVE-2020-36287 • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2020-36286
https://notcve.org/view.php?id=CVE-2020-36286
01 Apr 2021 — The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to publicly visible issue field. La función de búsqueda de membersOf JQL en Jira Server y Data Center anterior a versión 8.5.13, desde versión 8.6.0 anterior a versión 8.13.5 y desde versión 8.14.0 anterior a versión 8.15.1, permi... • https://jira.atlassian.com/browse/JRASERVER-72272 •
CVSS: 3.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-26071
https://notcve.org/view.php?id=CVE-2021-26071
01 Apr 2021 — The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability. El recurso SetFeatureEnabled.jspa en Jira Server y Data Center anterior a versión 8.5.13, desde versión 8.6.0 anterior a versión 8.13.5 y desde versión 8.14.0 anterior a versión 8.15.1, permite q... • https://jira.atlassian.com/browse/JRASERVER-72233 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2020-36238
https://notcve.org/view.php?id=CVE-2020-36238
01 Apr 2021 — The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check. El recurso /rest/api/1.0/render en Jira Server y Data Center anterior a versión 8.5.13, desde versión 8.6.0 anterior a versión 8.13.5 y desde versión 8.14.0 anterior a versión 8.15.1, permite a atacantes anónimos remotos deter... • https://jira.atlassian.com/browse/JRASERVER-72249 • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-26069
https://notcve.org/view.php?id=CVE-2021-26069
22 Mar 2021 — Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations API endpoint. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0. Versiones afectadas de Atlassian Jira Server y Data Center, permiten a atacantes remotos no autenticados descargar archivos t... • https://jira.atlassian.com/browse/JRASERVER-72010 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •