Atlassian Confluence Server vulnerabilities

51 known vulnerabilities affecting atlassian/confluence_server.

Total CVEs

51

CISA KEV

8

actively exploited

Public exploits

11

Exploited in wild

8

Severity breakdown

CRITICAL9HIGH22MEDIUM20

Vulnerabilities

Page 3 of 3

CVE-2018-20239MEDIUMCVSS 5.4fixed in 6.15.22019-04-30

CVE-2018-20239 [MEDIUM] CWE-79 CVE-2018-20239: Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a pl

CVE-2019-3398HIGHCVSS 8.8KEVPoC≥ 2.0, < 6.6.13≥ 6.7.0, < 6.12.4+3 more2019-04-18

CVE-2019-3398 [HIGH] CWE-22 CVE-2019-3398: Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments r Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locat

CVE-2019-3395CRITICALCVSS 9.8≥ 6.13.0, < 6.13.3≥ 6.14.0, < 6.14.2+7 more2019-03-25

CVE-2019-3395 [CRITICAL] CWE-918 CVE-2019-3395: The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed v The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Cen

CVE-2019-3396CRITICALCVSS 9.8KEVPoCfixed in 6.6.12≥ 6.7.0, < 6.12.3+9 more2019-03-25

CVE-2019-3396 [CRITICAL] CWE-22 CVE-2019-3396: The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version f The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path

CVE-2018-20237MEDIUMCVSS 6.5fixed in 6.13.1≥ 6.13.2, < 6.14.0+1 more2019-02-13

CVE-2018-20237 [MEDIUM] CWE-668 CVE-2018-20237: Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to do Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature.

CVE-2017-9505MEDIUMCVSS 4.3vVersions of Confluence starting with 4.3.0 before 6.2.1 are affected by this vulnerability.2017-06-15

CVE-2017-9505 [MEDIUM] CWE-276 CVE-2017-9505: Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they

CVE-2017-7415HIGHCVSS 7.5v6.0.0v6.0.1+5 more2017-04-27

CVE-2017-7415 [HIGH] CWE-200 CVE-2017-7415: Atlassian Confluence 6.x before 6.0.7 allows remote attackers to bypass authentication and read any Atlassian Confluence 6.x before 6.0.7 allows remote attackers to bypass authentication and read any blog or page via the drafts diff REST resource.

CVE-2016-6668HIGHCVSS 7.5v5.5.0v5.9.1+15 more2017-01-23

CVE-2016-6668 [HIGH] CWE-200 CVE-2016-6668: The Atlassian Hipchat Integration Plugin for Bitbucket Server 6.26.0 before 6.27.5, 6.28.0 before 7. The Atlassian Hipchat Integration Plugin for Bitbucket Server 6.26.0 before 6.27.5, 6.28.0 before 7.3.7, and 7.4.0 before 7.8.17; Confluence HipChat plugin 6.26.0 before 7.8.17; and HipChat for JIRA plugin 6.26.0 before 7.8.17 allows remote attackers to obtain the secret key for communicating with HipChat instances by reading unspecified pages.

CVE-2012-6342MEDIUMCVSS 6.8v3.4.62014-05-13

CVE-2012-6342 [MEDIUM] CWE-352 CVE-2012-6342: Cross-site request forgery (CSRF) vulnerability in logout.action in Atlassian Confluence 3.4.6 allow Cross-site request forgery (CSRF) vulnerability in logout.action in Atlassian Confluence 3.4.6 allows remote attackers to hijack the authentication of administrators for requests that logout the user via a comment.

CVE-2012-2926CRITICALCVSS 9.1PoC≥ 4.0, < 4.0.7≥ 4.1, < 4.1.102012-05-22

CVE-2012-2926 [CRITICAL] CVE-2012-2926: Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; Fish Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of

CVE-2012-2928MEDIUMCVSS 6.4v4.1.92012-05-22

CVE-2012-2928 [MEDIUM] CWE-264 CVE-2012-2928: The Gliffy plugin before 3.7.1 for Atlassian JIRA, and before 4.2 for Atlassian Confluence, does not The Gliffy plugin before 3.7.1 for Atlassian JIRA, and before 4.2 for Atlassian Confluence, does not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.

← Previous3 / 3