CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-20408
https://notcve.org/view.php?id=CVE-2019-20408
01 Jul 2020 — The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class. El recurso /plugins/servlet/gadgets/makeRequest en Jira versiones anteriores a 8.7.0, permite a atacantes remotos acceder al contenido de los recursos de la red interna por medio de una vulnerabilidad de tipo Server Side Request Forgery (SSRF) debido a un... • https://jira.atlassian.com/browse/JRASERVER-71204 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-20416
https://notcve.org/view.php?id=CVE-2019-20416
30 Jun 2020 — Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the project configuration feature. The affected versions are before version 8.3.0. Las versiones afectadas del servidor y centro de datos Atlassian Jira permiten a los atacantes remotos inyectar HTML o JavaScript arbitrarios a través de una vulnerabilidad de escritura en sitios cruzados (XSS) en la característica de configuración del proye... • https://jira.atlassian.com/browse/JRASERVER-70856 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2020-4028
https://notcve.org/view.php?id=CVE-2020-4028
23 Jun 2020 — Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability. En versiones anteriores a 8.9.1, varios recursos en Jira respondieron con un 404 en lugar de redireccionar a los usuarios no autenticados a la página de inicio de sesión, en algunas situaciones esto puede haber permiti... • https://jira.atlassian.com/browse/JRASERVER-71175 • CWE-203: Observable Discrepancy •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-20409
https://notcve.org/view.php?id=CVE-2019-20409
23 Jun 2020 — The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.0 allowed remote attackers to gain remote code execution if they were able to exploit a server side template injection vulnerability. La manera en que las plantillas de velocidad se usaron en Atlassian Jira Server y Data Center anteriores a la versión 8.8.0, permitió a atacantes remotos obtener una ejecución de código remota, si eran capaces de explotar una vulnerabilidad de inyección de plantillas de... • https://jira.atlassian.com/browse/JRASERVER-70944 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 4.7EPSS: 0%CPEs: 4EXPL: 1CVE-2019-20100
https://notcve.org/view.php?id=CVE-2019-20100
12 Feb 2020 — The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP... • https://ecosystem.atlassian.net/browse/APL-1390 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0CVE-2019-20402
https://notcve.org/view.php?id=CVE-2019-20402
06 Feb 2020 — Support zip files in Atlassian Jira Server and Data Center before version 8.6.0 could be downloaded by a System Administrator user without requiring the user to re-enter their password via an improper authorization vulnerability. Los archivos zip de soporte en Atlassian Jira Server y Data Center antes de que la versión 8.6.0, pudieran ser descargados por un usuario del Administrador de Sistema sin requerir que el usuario reingrese su contraseña por medio de una vulnerabilidad de autorización inapropiada. • https://jira.atlassian.com/browse/JRASERVER-70564 •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2019-15005
https://notcve.org/view.php?id=CVE-2019-15005
08 Nov 2019 — The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center... • https://herolab.usd.de/security-advisories/usd-2019-0016 • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 80%CPEs: 1EXPL: 5CVE-2019-8449 – Jira 8.3.4 - Information Disclosure (Username Enumeration)
https://notcve.org/view.php?id=CVE-2019-8449
11 Sep 2019 — The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability. El recurso /rest/api/latest/groupuserpicker en Jira versiones anteriores a 8.4.0, permite a atacantes remotos enumerar nombres de usuario por medio de una vulnerabilidad de divulgación de información. Jira version 8.3.4 suffers from a username enumeration information disclosure vulnerability. • https://packetstorm.news/files/id/156172 • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11584
https://notcve.org/view.php?id=CVE-2019-11584
23 Aug 2019 — The MigratePriorityScheme resource in Jira before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the priority icon url of an issue priority. El recurso MigratePriorityScheme en Jira antes de la versión 8.3.2 permite a los atacantes remotos inyectar HTML o JavaScript arbitrario a través de una vulnerabilidad de scripting entre sitios (XSS) en la url del icono de prioridad de una prioridad de problema. • https://jira.atlassian.com/browse/JRASERVER-69785 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11583
https://notcve.org/view.php?id=CVE-2019-11583
26 Jun 2019 — The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by "Epic Name". El problema de componente de búsqueda en Jira anterior de la versión 8.1.0 permite que los atacantes remotos denieguen el acceso al servicio de Jira a través de la vulnerabilidad de denegación de servicio en la búsqueda de problemas al ordenar por "EPIC NAME". • http://www.securityfocus.com/bid/108901 •