CVSS: 8.3EPSS: 0%CPEs: 12EXPL: 0CVE-2024-21677
https://notcve.org/view.php?id=CVE-2024-21677
19 Mar 2024 — This High severity Path Traversal vulnerability was introduced in version 6.13.0 of Confluence Data Center. This Path Traversal vulnerability, with a CVSS Score of 8.3, allows an unauthenticated attacker to exploit an undefinable vulnerability which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your in... • https://confluence.atlassian.com/pages/viewpage.action?pageId=1369444862 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.5EPSS: 0%CPEs: 12EXPL: 0CVE-2024-21678
https://notcve.org/view.php?id=CVE-2024-21678
20 Feb 2024 — This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center. This Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires no user interaction. Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do... • https://confluence.atlassian.com/pages/viewpage.action?pageId=1354501606 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 3%CPEs: 2EXPL: 0CVE-2023-22512
https://notcve.org/view.php?id=CVE-2023-22512
16 Jan 2024 — To maintain compliance with CNA rules, we have rejected this CVE record because it has not been used. This High severity DoS (Denial of Service) vulnerability was introduced in version 5.6.0 of Confluence Data Center and Server. With a CVSS Score of 7.5, this vulnerability allows an unauthenticated attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely disrupting services of a vulnerable host (Confluence instance) connected to a network, which has no impact to c... • https://confluence.atlassian.com/pages/viewpage.action?pageId=1283691616 •
CVSS: 9.0EPSS: 34%CPEs: 8EXPL: 0CVE-2023-22522
https://notcve.org/view.php?id=CVE-2023-22522
06 Dec 2023 — This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker is able to achieve Remote Code Execution (RCE) on an affected instance. Publicly accessible Confluence Data Center and Server versions as listed below are at risk and require immediate attention. See the advisory for additional details Atlassian Cloud sites are not affected by this vulnerability. If your Confluence s... • https://confluence.atlassian.com/pages/viewpage.action?pageId=1319570362 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 10.0EPSS: 94%CPEs: 10EXPL: 9CVE-2023-22518 – Atlassian Confluence Data Center and Server Improper Authorization Vulnerability
https://notcve.org/view.php?id=CVE-2023-22518
31 Oct 2023 — All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to - but not limited to - full loss of confidentiality, integrity and availability. Atlassian Cloud sites are not affecte... • https://packetstorm.news/files/id/176264 • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-22503
https://notcve.org/view.php?id=CVE-2023-22503
01 May 2023 — Affected versions of Atlassian Confluence Server and Data Center allow anonymous remote attackers to view the names of attachments and labels in a private Confluence space. This occurs via an Information Disclosure vulnerability in the macro preview feature. This vulnerability was reported by Rojan Rijal of the Tinder Security Engineering team. The affected versions are before version 7.13.15, from version 7.14.0 before 7.19.7, and from version 7.20.0 before 8.2.0. • https://jira.atlassian.com/browse/CONFSERVER-82403 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-42977
https://notcve.org/view.php?id=CVE-2022-42977
15 Nov 2022 — The Netic User Export add-on before 1.3.5 for Atlassian Confluence has the functionality to generate a list of users in the application, and export it. During export, the HTTP request has a fileName parameter that accepts any file on the system (e.g., an SSH private key) to be downloaded. El complemento Netic User Export anterior a 1.3.5 para Atlassian Confluence tiene la funcionalidad de generar una lista de usuarios en la aplicación y exportarla. Durante la exportación, la solicitud HTTP tiene un parámetr... • https://gist.github.com/CveCt0r/34251664a511f1045ce6a5492e94eec1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-42978
https://notcve.org/view.php?id=CVE-2022-42978
15 Nov 2022 — In the Netic User Export add-on before 1.3.5 for Atlassian Confluence, authorization is mishandled. An unauthenticated attacker could access files on the remote system. En el complemento Netic User Export anterior a 1.3.5 para Atlassian Confluence, la autorización se maneja mal. Un atacante no autenticado podría acceder a archivos del sistema remoto. • https://gist.github.com/CveCt0r/34251664a511f1045ce6a5492e94eec1 • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-36290
https://notcve.org/view.php?id=CVE-2020-36290
26 Jul 2022 — The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 before 7.6.3, and from version 7.7.0 before version 7.7.4 allows remote attackers with permission to edit a page or blog to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the page excerpt functionality. Livesearch macro in Confluence Server and Data Center versiones anteriores a 7.4.5, desde versión 7.5.0 anteriores a 7.6.3, y desde versión 7.7.0 anteriores a 7.7.4, permi... • https://jira.atlassian.com/browse/CONFSERVER-60118 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 42EXPL: 0CVE-2022-26137
https://notcve.org/view.php?id=CVE-2022-26137
20 Jul 2022 — A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into re... • https://jira.atlassian.com/browse/BAM-21795 • CWE-180: Incorrect Behavior Order: Validate Before Canonicalize CWE-346: Origin Validation Error •