CVSS: 10.0EPSS: 0%CPEs: 42EXPL: 0CVE-2022-26137
https://notcve.org/view.php?id=CVE-2022-26137
20 Jul 2022 — A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into re... • https://jira.atlassian.com/browse/BAM-21795 • CWE-180: Incorrect Behavior Order: Validate Before Canonicalize CWE-346: Origin Validation Error •
CVSS: 10.0EPSS: 0%CPEs: 42EXPL: 0CVE-2022-26136
https://notcve.org/view.php?id=CVE-2022-26136
20 Jul 2022 — A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions ar... • https://jira.atlassian.com/browse/BAM-21795 • CWE-180: Incorrect Behavior Order: Validate Before Canonicalize CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2020-36240
https://notcve.org/view.php?id=CVE-2020-36240
01 Mar 2021 — The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. La clase ResourceDownloadRewriteRule en Crowd versiones anteriores a 4.0.4, y desde versión 4.1.0 versiones anteriores a 4.1.2, permitía a atacantes remotos no autenticados leer archivos arbitrarios dentro de los directorios WEB-INF y META-INF por medio de una compr... • https://jira.atlassian.com/browse/CWD-5685 •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-20902
https://notcve.org/view.php?id=CVE-2019-20902
01 Oct 2020 — Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1. La actualización de Crowd a través de la transferencia de datos XML puede reactivar un usuario discapacitado de OpenLDAP. Las versiones afectadas son de antes de la versión 3.4.6 y de la versión 3.5.0 anterior a la 3.5.1 • https://jira.atlassian.com/browse/CWD-5409 •
CVSS: 7.5EPSS: 2%CPEs: 7EXPL: 1CVE-2019-20104
https://notcve.org/view.php?id=CVE-2019-20104
06 Feb 2020 — The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability. La aplicación de cliente OpenID en Atlassian Crowd antes de la versión 3.6.2 y desde la versión 3.7.0 anteriores a 3.7.1, permite a atacantes remotos llevar a cabo un ataque de Denegación de Servicio por medio de una vulnerabilidad de tipo XML Entity Expansion. • https://jira.atlassian.com/browse/CWD-5526 • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18107
https://notcve.org/view.php?id=CVE-2017-18107
17 Dec 2019 — Various resources in the Crowd Demo application of Atlassian Crowd before version 3.1.1 allow remote attackers to modify add, modify and delete users & groups via a Cross-site request forgery (CSRF) vulnerability. Please be aware that the Demo application is not enabled by default. Varios recursos en la aplicación Crowd Demo de Atlassian Crowd en versiones anteriores a la 3.1.1 permiten a los atacantes remotos modificar la vulnerabilidad agregar, modificar y eliminar usuarios y grupos mediante una vulnerabi... • https://jira.atlassian.com/browse/CWD-5091 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2019-15005
https://notcve.org/view.php?id=CVE-2019-15005
08 Nov 2019 — The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center... • https://herolab.usd.de/security-advisories/usd-2019-0016 • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 14EXPL: 0CVE-2018-20239
https://notcve.org/view.php?id=CVE-2018-20239
30 Apr 2019 — Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3... • https://ecosystem.atlassian.net/browse/APL-1373 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-18110
https://notcve.org/view.php?id=CVE-2017-18110
29 Mar 2019 — The administration backup restore resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to read files from the filesystem via a XXE vulnerability. El recurso de administración de copias de memoria en Atlassian Crowd, en versiones anteriores a la 3.0.2 y desde la 3.1.1, permite a los atacantes remotos leer archivos desde el sistema de archivos mediante una vulnerabilidad de XEE (XML External Entity). • https://jira.atlassian.com/browse/CWD-5070 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-18109
https://notcve.org/view.php?id=CVE-2017-18109
29 Mar 2019 — The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect. El recurso de inicio de sesión de Crowdld en Atlassian Crowd, en versiones anteriores a la 3.0.2 y desde la 3.1.0 hasta la 3.1.1, permite a los atacantes remotos redirigir a los usuarios a otro sitio web que pueden utilizar como parte de la realización... • https://jira.atlassian.com/browse/CWD-5071 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •