Atlassian Confluence Server vulnerabilities

CVE-2020-36290 [MEDIUM] CWE-79 CVE-2020-36290: The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 b The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 before 7.6.3, and from version 7.7.0 before version 7.7.4 allows remote attackers with permission to edit a page or blog to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the page excerpt functionality.

CVE-2022-26136 [CRITICAL] CWE-180 CVE-2022-26136: A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass S A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released update

CVE-2022-26137 [HIGH] CWE-180 CVE-2022-26137: A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause ad A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a speci

CVE-2022-26134 [CRITICAL] CWE-917 CVE-2022-26134: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists th In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2,

CVE-2021-39114 [HIGH] CWE-94 CVE-2021-39114: Affected versions of Atlassian Confluence Server and Data Center allow users with a valid account on Affected versions of Atlassian Confluence Server and Data Center allow users with a valid account on a Confluence Data Center instance to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and fr

CVE-2021-43940 [HIGH] CWE-427 CVE-2021-43940: Affected versions of Atlassian Confluence Server and Data Center allow authenticated local attackers Affected versions of Atlassian Confluence Server and Data Center allow authenticated local attackers to achieve elevated privileges on the local system via a DLL Hijacking vulnerability in the Confluence installer. This vulnerability only affects installations of Confluence Server and Data Center on Windows. The affected versions are before version 7.

CVE-2021-26084 [CRITICAL] CWE-917 CVE-2021-26084: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists th In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from vers

CVE-2021-26085 [MEDIUM] CWE-425 CVE-2021-26085: Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.

CVE-2020-29444 [MEDIUM] CWE-79 CVE-2020-29444: Affected versions of Team Calendar in Confluence Server before 7.11.0 allow attackers to inject arbi Affected versions of Team Calendar in Confluence Server before 7.11.0 allow attackers to inject arbitrary HTML or Javascript via a Cross Site Scripting Vulnerability in admin global setting parameters.

CVE-2020-29445 [MEDIUM] CWE-918 CVE-2020-29445: Affected versions of Confluence Server before 7.4.8, and versions from 7.5.0 before 7.11.0 allow att Affected versions of Confluence Server before 7.4.8, and versions from 7.5.0 before 7.11.0 allow attackers to identify internal hosts and ports via a blind server-side request forgery vulnerability in Team Calendars parameters.

CVE-2021-26072 [MEDIUM] CWE-918 CVE-2021-26072: The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6 allo The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6 allowed remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability.

CVE-2020-29448 [MEDIUM] CVE-2020-29448: The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center befo The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center before version 6.13.18, from 6.14.0 before 7.4.6, and from 7.5.0 before 7.8.3 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.

CVE-2020-29450 [MEDIUM] CWE-434 CVE-2020-29450: Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact th Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0.

CVE-2020-14175 [MEDIUM] CWE-79 CVE-2020-14175: Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject ar Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in user macro parameters. The affected versions are before version 7.4.2, and from version 7.5.0 before 7.5.2.

CVE-2020-4027 [MEDIUM] CWE-74 CVE-2020-4027: Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with syste Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version 7.4.5, and from version 7.5.0 before 7.5.1.

CVE-2019-20102 [MEDIUM] CWE-79 CVE-2019-20102: The attachment-uploading feature in Atlassian Confluence Server from version 6.14.0 through version The attachment-uploading feature in Atlassian Confluence Server from version 6.14.0 through version 6.14.3, and version 6.15.0 before version 6.15.5 allows remote attackers to achieve stored cross-site- scripting (SXSS) via a malicious attachment with a modified `mimeType` parameter.

CVE-2019-20406 [HIGH] CWE-427 CVE-2019-20406: The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, an The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, and from version 7.1.0 before version 7.1.1 allows local system attackers who have permission to write a DLL file in a directory in the global path environmental variable variable to inject code & escalate their privileges via a DLL hijacking vulnerabilit

CVE-2019-15006 [MEDIUM] CWE-913 CVE-2019-15006: There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Conf There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence Previews plugin in Confluence Server and Confluence Data Center communicated with the Companion applica

CVE-2019-15005 [MEDIUM] CWE-862 CVE-2019-15005: The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivilege The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulne

CVE-2019-3394 [HIGH] CWE-22 CVE-2019-3394: There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An attacker with permission to editing a page is able to exploit this issue to read arbitrary file on the server under /confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, which could