Atlassian Jira vulnerabilities

CVE-2019-8448 [MEDIUM] CVE-2019-8448: The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 al The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability.

CVE-2018-20826 [MEDIUM] CWE-863 CVE-2018-20826: The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check.

CVE-2018-20827 [MEDIUM] CWE-79 CVE-2018-20827: The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary The activity stream gadget in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the country parameter.

CVE-2019-11583 [MEDIUM] CVE-2019-11583: The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by "Epic Name".

CVE-2019-8442 [HIGH] CVE-2019-8442: The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 b The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check.

CVE-2019-8443 [HIGH] CWE-287 CVE-2019-8443: The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, an The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to re-authenticate to pass "WebSudo" through an improper access contro

CVE-2019-3403 [MEDIUM] CWE-863 CVE-2019-3403: The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before v The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.

CVE-2019-3402 [MEDIUM] CWE-79 CVE-2019-3402: The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before v The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter.

CVE-2019-3401 [MEDIUM] CWE-863 CVE-2019-3401: The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.

CVE-2018-20824 [MEDIUM] CWE-79 CVE-2018-20824: The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitr The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter.

CVE-2019-3400 [MEDIUM] CWE-79 CVE-2019-3400: The labels gadget in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows The labels gadget in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jql parameter.

CVE-2019-3399 [HIGH] CWE-863 CVE-2019-3399: The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before versio The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check.

CVE-2018-13404 [MEDIUM] CWE-918 CVE-2018-13404: The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 b The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.

CVE-2018-20232 [MEDIUM] CWE-79 CVE-2018-20232: The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before versi The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting.

CVE-2018-13403 [MEDIUM] CWE-79 CVE-2018-13403: The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7 The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a saved filter when displayed on a Jira dashboard.

CVE-2018-13402 [MEDIUM] CWE-601 CVE-2018-13402: Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attac

CVE-2018-13400 [MEDIUM] CWE-269 CVE-2018-13400: Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before v Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1

CVE-2018-13401 [MEDIUM] CWE-601 CVE-2018-13401: The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before versi The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allo

CVE-2018-13391 [MEDIUM] CWE-200 CVE-2018-13391: The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before v The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote attackers who can access & view an issue to obtain th

CVE-2018-13395 [MEDIUM] CWE-79 CVE-2018-13395: Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, f Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerab