Atlassian Application Links vulnerabilities

CVE-2019-20105 [MEDIUM] CWE-306 CVE-2019-20105: The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, fro The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator's session to access

CVE-2019-20100 [MEDIUM] CWE-352 CVE-2019-20100: The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The follo The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is

CVE-2019-15011 [MEDIUM] CWE-276 CVE-2019-15011: The ListEntityLinksServlet resource in Application Links before version 5.0.12, from version 5.1.0 b The ListEntityLinksServlet resource in Application Links before version 5.0.12, from version 5.1.0 before version 5.2.11, from version 5.3.0 before version 5.3.7, from version 5.4.0 before 5.4.13, and from version 6.0.0 before 6.0.5 disclosed application link information to non-admin users via a missing permissions check.

CVE-2018-20239 [MEDIUM] CWE-79 CVE-2018-20239: Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a pl

CVE-2017-18111 [HIGH] CWE-611 CVE-2017-18111: The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before vers The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. This allowed malicious oauth application linked applications to probe internal network resources by req

CVE-2017-16860 [MEDIUM] CWE-79 CVE-2017-16860: The invalidRedirectUrl template in Atlassian Application Links before version 5.2.7, from version 5. The invalidRedirectUrl template in Atlassian Application Links before version 5.2.7, from version 5.3.0 before version 5.3.4 and from version 5.4.0 before version 5.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the redirectUrl parameter link in the redirect warning message.

CVE-2018-5227 [MEDIUM] CWE-79 CVE-2018-5227: Various administrative application link resources in Atlassian Application Links before version 5.4. Various administrative application link resources in Atlassian Application Links before version 5.4.4 allow remote attackers with administration rights to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the display url of a configured application link.

CVE-2017-18096 [HIGH] CWE-918 CVE-2017-18096: The OAuth status rest resource in Atlassian Application Links before version 5.2.7, from 5.3.0 befor The OAuth status rest resource in Atlassian Application Links before version 5.2.7, from 5.3.0 before 5.3.4 and from 5.4.0 before 5.4.3 allows remote attackers with administrative rights to access the content of internal network resources via a Server Side Request Forgery (SSRF) by creating an OAuth application link to a location they control and then