CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-42978
https://notcve.org/view.php?id=CVE-2022-42978
15 Nov 2022 — In the Netic User Export add-on before 1.3.5 for Atlassian Confluence, authorization is mishandled. An unauthenticated attacker could access files on the remote system. En el complemento Netic User Export anterior a 1.3.5 para Atlassian Confluence, la autorización se maneja mal. Un atacante no autenticado podría acceder a archivos del sistema remoto. • https://gist.github.com/CveCt0r/34251664a511f1045ce6a5492e94eec1 • CWE-863: Incorrect Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36803
https://notcve.org/view.php?id=CVE-2022-36803
14 Oct 2022 — The MasterUserEdit API in Atlassian Jira Align Server before version 10.109.2 allows An authenticated attacker with the People role permission to use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox. La API MasterUserEdit en Atlassian Jira Align Server versiones anteriores a 10.109.2, permite a un atacante autenticado con el permiso de rol People usar la API MasterUserEdit para modificar el rol de cualquier usuario a Super Admin.... • https://jira.atlassian.com/browse/JIRAALIGN-4281 • CWE-276: Incorrect Default Permissions •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36802
https://notcve.org/view.php?id=CVE-2022-36802
14 Oct 2022 — The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request. La API ManageJiraConnectors en Atlassian Jira Align versiones anteriores a 10.109.2, permite a atacantes remotos explotar este problema para acceder a recursos de red internos por medi... • https://jira.atlassian.com/browse/JIRAALIGN-4326 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.0EPSS: 94%CPEs: 7EXPL: 23CVE-2022-36804 – Atlassian Bitbucket Server and Data Center Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2022-36804
25 Aug 2022 — Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnera... • https://packetstorm.news/files/id/171453 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 6.4EPSS: 2%CPEs: 2EXPL: 0CVE-2022-36801
https://notcve.org/view.php?id=CVE-2022-36801
10 Aug 2022 — Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (RXSS) vulnerability in the TeamManagement.jspa endpoint. The affected versions are before version 8.20.8. Las versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos anónimos inyectar HTML o JavaScript arbitrario por medio de una vulnerabilidad de tipo Cross-Site Scripting (RXSS) Reflejado en el endpoint TeamM... • https://jira.atlassian.com/browse/JRASERVER-73740 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-36800
https://notcve.org/view.php?id=CVE-2022-36800
03 Aug 2022 — Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers without the "Browse Users" permission to view groups via an Information Disclosure vulnerability in the browsegroups.action endpoint. The affected versions are before version 4.22.2. Las versiones afectadas de Atlassian Jira Service Management Server y Data Center permiten a atacantes remotos sin el permiso "Browse Users" visualizar los grupos por medio de una vulnerabilidad de divulgación de información en ... • https://jira.atlassian.com/browse/JSDSERVER-11900 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.3EPSS: 3%CPEs: 6EXPL: 0CVE-2022-36799
https://notcve.org/view.php?id=CVE-2022-36799
01 Aug 2022 — This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. In this case the security improvement was to protect against using the XStream library to be able to execute arbitrary code in veloc... • https://jira.atlassian.com/browse/JRASERVER-73582 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-43959
https://notcve.org/view.php?id=CVE-2021-43959
26 Jul 2022 — Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability in the CSV importing feature of JSM Insight. When running in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that provides access credentials and other potentially confidential information. The affected versions are before version 4.13.20, from versio... • https://jira.atlassian.com/browse/JSDSERVER-11898 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-36290
https://notcve.org/view.php?id=CVE-2020-36290
26 Jul 2022 — The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 before 7.6.3, and from version 7.7.0 before version 7.7.4 allows remote attackers with permission to edit a page or blog to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the page excerpt functionality. Livesearch macro in Confluence Server and Data Center versiones anteriores a 7.4.5, desde versión 7.5.0 anteriores a 7.6.3, y desde versión 7.7.0 anteriores a 7.7.4, permi... • https://jira.atlassian.com/browse/CONFSERVER-60118 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 94%CPEs: 5EXPL: 4CVE-2022-26138 – Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability
https://notcve.org/view.php?id=CVE-2022-26138
20 Jul 2022 — The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app. La aplicación Atlass... • https://github.com/alcaparra/CVE-2022-26138 • CWE-798: Use of Hard-coded Credentials •