Atlassian Jira Data Center vulnerabilities

CVE-2020-4025 [MEDIUM] CWE-79 CVE-2020-4025: The attachment download resource in Atlassian Jira Server and Data Center The attachment download re The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a

CVE-2020-4024 [MEDIUM] CWE-79 CVE-2020-4024: The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6 The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type.

CVE-2020-4029 [MEDIUM] CVE-2020-4029: The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center befor The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability.

CVE-2020-14168 [MEDIUM] CVE-2020-14168: The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, fro The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability.

CVE-2020-4022 [MEDIUM] CWE-79 CVE-2020-4022: The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6 The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type.

CVE-2019-20415 [MEDIUM] CWE-352 CVE-2019-20415: Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging Atlassian Jira Server and Data Center in affected versions allows remote attackers to modify logging and profiling settings via a cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.3, and from version 8.0.0 before 8.1.0.

CVE-2019-20413 [HIGH] CVE-2019-20413: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the appl Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability on the UserPickerBrowser.jspa page. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.

CVE-2019-20414 [MEDIUM] CWE-79 CVE-2019-20414: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrar Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in Issue Navigator Basic Search. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.

CVE-2019-20410 [MEDIUM] CVE-2019-20410: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. The affected versions are before version 7.6.17, from version 7.7.0 before 7.13.9, and from version 8.0.0 before 8.4.2.

CVE-2019-20411 [MEDIUM] CWE-352 CVE-2019-20411: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboar Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.

CVE-2019-20412 [MEDIUM] CWE-287 CVE-2019-20412: The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center all The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7

CVE-2020-4021 [MEDIUM] CWE-79 CVE-2020-4021: Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data C Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view.

CVE-2019-20407 [MEDIUM] CWE-862 CVE-2019-20407: The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8. The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check.

CVE-2019-20099 [MEDIUM] CWE-352 CVE-2019-20099: The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before ver The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where

CVE-2019-20100 [MEDIUM] CWE-352 CVE-2019-20100: The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The follo The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is

CVE-2019-20098 [MEDIUM] CWE-352 CVE-2019-20098: The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before ve The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network wher

CVE-2019-20405 [MEDIUM] CWE-352 CVE-2019-20405: The JMX monitoring flag in Atlassian Jira Server and Data Center before version 8.6.0 allows remote The JMX monitoring flag in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to turn the JMX monitoring flag off or on via a Cross-site request forgery (CSRF) vulnerability.

CVE-2019-20106 [MEDIUM] CWE-276 CVE-2019-20106: Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 befor Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug.

CVE-2019-20404 [MEDIUM] CVE-2019-20404: The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote at The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability.

CVE-2019-20403 [MEDIUM] CVE-2019-20403: The API in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to det The API in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to determine if a Jira project key exists or not via an information disclosure vulnerability.