Page 6 of 32 results (0.023 seconds)

CVSS: 10.0EPSS: 97%CPEs: 4EXPL: 16

CVE-2019-3396 – Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability

https://notcve.org/view.php?id=CVE-2019-3396

The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection. La macro de Widget Connector en Atlassian Confluence and Data Center en versiones anteriores a la 6.6.12 (la versión solucionada para 6.6.x), desde la versión 6.7.0 hasta antes de la 6.12.3 (la versión solucionada para 6.12.x), desde la versión 6.13.0 hasta antes de la 6.13.3 (la versión solucionada para 6.13.x) y desde la versión 6.14.0 hasta antes de la 6.14.2 (la versión solucionada para 6.14.x) permite a los atacantes remotos lograr saltos de directorio y ejecución remota de código en una instancia de Confluence Server or Data Center a través de una inyección de plantillas del lado del servidor. Atlassian Confluence version 6.12.1 suffers from a Widget Connector Macro template injection vulnerability. Atlassian Confluence Server and Data Center contain a server-side template injection vulnerability that may allow an attacker to achieve path traversal and remote code execution. • https://www.exploit-db.com/exploits/46731 https://www.exploit-db.com/exploits/49465 https://github.com/jas502n/CVE-2019-3396 https://github.com/x-f1v3/CVE-2019-3396 https://github.com/pyn3rd/CVE-2019-3396 https://github.com/dothanthitiendiettiende/CVE-2019-3396 https://github.com/Avento/CVE-2019-3396-Memshell-for-Behinder https://github.com/s1xg0d/CVE-2019-3396 https://github.com/quanpt103/CVE-2019-3396 https://github.com/xiaoshuier/CVE-2019-3396 https://github. • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0

CVE-2018-20237

https://notcve.org/view.php?id=CVE-2018-20237

Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature. Atlassian Confluence Server and Data Center, en versiones anteriores a la 6.13.1, permite que un usuario autenticado descargue una página eliminada mediante la característica de exportación de palabras. • http://www.securityfocus.com/bid/107041 https://jira.atlassian.com/browse/CONFSERVER-57814 https://www.excellium-services.com/cert-xlm-advisory/cve-2018-20237 • CWE-668: Exposure of Resource to Wrong Sphere •

CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 1

CVE-2017-7415

https://notcve.org/view.php?id=CVE-2017-7415

Atlassian Confluence 6.x before 6.0.7 allows remote attackers to bypass authentication and read any blog or page via the drafts diff REST resource. Atlassian Confluence 6.x antes de 6.0.7 permite a los atacantes remotos eludir la autenticación y leer cualquier blog o página a través del recurso drafts diff REST. • http://www.securityfocus.com/bid/97961 https://jira.atlassian.com/browse/CONFSERVER-52222 https://packetstormsecurity.com/files/142330/Confluence-6.0.x-Information-Disclosure.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.5EPSS: 0%CPEs: 30EXPL: 0

CVE-2016-6668

https://notcve.org/view.php?id=CVE-2016-6668

The Atlassian Hipchat Integration Plugin for Bitbucket Server 6.26.0 before 6.27.5, 6.28.0 before 7.3.7, and 7.4.0 before 7.8.17; Confluence HipChat plugin 6.26.0 before 7.8.17; and HipChat for JIRA plugin 6.26.0 before 7.8.17 allows remote attackers to obtain the secret key for communicating with HipChat instances by reading unspecified pages. El Atlassian Hipchat Integration Plugin para Bitbucket Server 6.26.0 en versiones anteriores a 6.27.5, 6.28.0 en versiones anteriores a 7.3.7 y 7.4.0 en versiones anteriores a 7.8.17; pllugin HipChat para Confluence 6.26.0 en versiones anteriores a 7.8.17; y plugin HipChat para JIRA 6.26.0 en versiones anteriores a 7.8.17 permite a atacantes remotos obtener la clave secreta para comunicarse con instancias HipChat leyendo páginas no especificadas. • http://packetstormsecurity.com/files/139004/Atlassian-HipChat-Secret-Key-Disclosure.html http://www.securityfocus.com/archive/1/539530/100/0/threaded http://www.securityfocus.com/bid/93159 https://confluence.atlassian.com/bitbucketserver/bitbucket-server-security-advisory-2016-09-21-840698321.html https://confluence.atlassian.com/doc/confluence-security-advisory-2016-09-21-849052104.html https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2016-09-21-849052099.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 3

CVE-2012-6342 – Atlassian Confluence 3.0 Cross Site Request Forgery

https://notcve.org/view.php?id=CVE-2012-6342

Cross-site request forgery (CSRF) vulnerability in logout.action in Atlassian Confluence 3.4.6 allows remote attackers to hijack the authentication of administrators for requests that logout the user via a comment. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en logout.action en Confluence versión 3.4.6 de Atlassian, permite a los atacantes remotos secuestrar la autenticación de administradores para las peticiones que cierran la sesión del usuario por medio de un comentario. Atlassian Confluence version 3.0 suffers from multiple cross site request forgery vulnerabilities. The vendor has decided not to fix these issues. • http://archives.neohapsis.com/archives/bugtraq/2013-01/0066.html http://packetstormsecurity.com/files/116829/Atlassian-Confluence-3.0-Cross-Site-Request-Forgery.html http://www.halock.com/blog/cve-2012-6342-atlassian-confluence-multiple-cross-site-request-forgery-csrf-vulnerabilities http://www.securityfocus.com/archive/1/524217/30/450/threaded https://jira.atlassian.com/browse/CONFSERVER-22784 • CWE-352: Cross-Site Request Forgery (CSRF) •