CVSS: 8.3EPSS: 0%CPEs: 12EXPL: 0CVE-2024-21677
https://notcve.org/view.php?id=CVE-2024-21677
19 Mar 2024 — This High severity Path Traversal vulnerability was introduced in version 6.13.0 of Confluence Data Center. This Path Traversal vulnerability, with a CVSS Score of 8.3, allows an unauthenticated attacker to exploit an undefinable vulnerability which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your in... • https://confluence.atlassian.com/pages/viewpage.action?pageId=1369444862 •
CVSS: 8.5EPSS: 0%CPEs: 12EXPL: 0CVE-2024-21678
https://notcve.org/view.php?id=CVE-2024-21678
20 Feb 2024 — This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center. This Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires no user interaction. Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do... • https://confluence.atlassian.com/pages/viewpage.action?pageId=1354501606 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 8EXPL: 0CVE-2023-22522
https://notcve.org/view.php?id=CVE-2023-22522
06 Dec 2023 — This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker is able to achieve Remote Code Execution (RCE) on an affected instance. Publicly accessible Confluence Data Center and Server versions as listed below are at risk and require immediate attention. See the advisory for additional details Atlassian Cloud sites are not affected by this vulnerability. If your Confluence s... • https://confluence.atlassian.com/pages/viewpage.action?pageId=1319570362 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 10.0EPSS: 96%CPEs: 10EXPL: 9CVE-2023-22518 – Atlassian Confluence Data Center and Server Improper Authorization Vulnerability
https://notcve.org/view.php?id=CVE-2023-22518
31 Oct 2023 — All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to - but not limited to - full loss of confidentiality, integrity and availability. Atlassian Cloud sites are not affecte... • https://packetstorm.news/files/id/176264 • CWE-863: Incorrect Authorization •
CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 0CVE-2023-22508
https://notcve.org/view.php?id=CVE-2023-22508
18 Jul 2023 — This High severity RCE (Remote Code Execution) vulnerability known as CVE-2023-22508 was introduced in version 6.1.0 of Confluence Data Center & Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction. Atlassian recommends that you upgrade your instance to avoid this bug using the following options: * Upg... • https://jira.atlassian.com/browse/CONFSERVER-88221 •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-22503
https://notcve.org/view.php?id=CVE-2023-22503
01 May 2023 — Affected versions of Atlassian Confluence Server and Data Center allow anonymous remote attackers to view the names of attachments and labels in a private Confluence space. This occurs via an Information Disclosure vulnerability in the macro preview feature. This vulnerability was reported by Rojan Rijal of the Tinder Security Engineering team. The affected versions are before version 7.13.15, from version 7.14.0 before 7.19.7, and from version 7.20.0 before 8.2.0. • https://jira.atlassian.com/browse/CONFSERVER-82403 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 0%CPEs: 42EXPL: 0CVE-2022-26137
https://notcve.org/view.php?id=CVE-2022-26137
20 Jul 2022 — A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into re... • https://jira.atlassian.com/browse/BAM-21795 • CWE-180: Incorrect Behavior Order: Validate Before Canonicalize CWE-346: Origin Validation Error •
CVSS: 10.0EPSS: 0%CPEs: 42EXPL: 0CVE-2022-26136
https://notcve.org/view.php?id=CVE-2022-26136
20 Jul 2022 — A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions ar... • https://jira.atlassian.com/browse/BAM-21795 • CWE-180: Incorrect Behavior Order: Validate Before Canonicalize CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 97%CPEs: 14EXPL: 75CVE-2022-26134 – Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-26134
03 Jun 2022 — In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1. En las versiones afectadas de Confluence Server y Data Center, se presenta un... • https://packetstorm.news/files/id/167431 • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •