Atlassian Jira vulnerabilities

CVE-2017-18104 [MEDIUM] CWE-200 CVE-2017-18104: The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should not be sent because they are not contained within the results of a specified JQL query.

CVE-2018-5232 [MEDIUM] CWE-79 CVE-2018-5232: The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before ver The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuetype parameter.

CVE-2018-13387 [MEDIUM] CVE-2018-13387: The IncomingMailServers resource in Atlassian JIRA Server before version 7.6.7, from version 7.7.0 b The IncomingMailServers resource in Atlassian JIRA Server before version 7.6.7, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3 and from version 7.10.0 before version 7.10.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability i

CVE-2018-5231 [HIGH] CVE-2018-5231: The ForgotLoginDetails resource in Atlassian Jira before version 7.6.6, from version 7.7.0 before ve The ForgotLoginDetails resource in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to perform a denial of service attack via sending requests to it.

CVE-2018-5230 [MEDIUM] CWE-79 CVE-2018-5230: The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the error message of custom fields when an invalid value

CVE-2017-18101 [MEDIUM] CWE-284 CVE-2017-18101: Various administrative external system import resources in Atlassian JIRA Server (including JIRA Cor Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permissio

CVE-2017-18100 [MEDIUM] CWE-79 CVE-2017-18100: The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject The agile wallboard gadget in Atlassian Jira before version 7.8.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of quick filters.

CVE-2017-18097 [MEDIUM] CWE-79 CVE-2017-18097: The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers wh The Trello board importer resource in Atlassian Jira before version 7.6.1 allows remote attackers who can convince a Jira administrator to import their Trello board to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the title of a Trello card.

CVE-2017-18098 [MEDIUM] CWE-79 CVE-2017-18098: The searchrequest-xml resource in Atlassian Jira before version 7.6.1 allows remote attackers to inj The searchrequest-xml resource in Atlassian Jira before version 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through various fields.

CVE-2017-18039 [MEDIUM] CWE-79 CVE-2017-18039: The IncomingMailServers resource in Atlassian Jira from version 6.2.1 before version 7.4.4 allows re The IncomingMailServers resource in Atlassian Jira from version 6.2.1 before version 7.4.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter.

CVE-2017-18033 [MEDIUM] CWE-352 CVE-2017-18033: The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create n The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery (CSRF) vulnerabilities.

CVE-2017-16863 [MEDIUM] CWE-79 CVE-2017-16863: The PieChart gadget in Atlassian Jira before version 7.5.3 allows remote attackers to inject arbitra The PieChart gadget in Atlassian Jira before version 7.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a project or filter.

CVE-2017-16865 [MEDIUM] CWE-918 CVE-2017-16865: The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the con The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential info

CVE-2017-16862 [MEDIUM] CWE-352 CVE-2017-16862: The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to m The IncomingMailServers resource in Atlassian Jira before version 7.6.2 allows remote attackers to modify the "incoming mail" whitelist setting via a Cross-site request forgery (CSRF) vulnerability.

CVE-2017-14594 [MEDIUM] CWE-79 CVE-2017-14594: The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version 7.3.0 before 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jqlQuery query parameter.

CVE-2017-16864 [MEDIUM] CWE-79 CVE-2017-16864: The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject a The issue search resource in Atlassian Jira before version 7.4.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the orderby parameter.

CVE-2017-5983 [CRITICAL] CWE-502 CVE-2017-5983: The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parse The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.

CVE-2016-4319 [HIGH] CWE-352 CVE-2016-4319: Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings. Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings.

CVE-2016-4318 [MEDIUM] CWE-79 CVE-2016-4318: Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role n Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name.

CVE-2016-6285 [MEDIUM] CWE-79 CVE-2016-6285: Cross-site scripting (XSS) vulnerability in includes/decorators/global-translations.jsp in Atlassian Cross-site scripting (XSS) vulnerability in includes/decorators/global-translations.jsp in Atlassian JIRA before 7.2.2 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.