Atlassian Jira Server vulnerabilities

CVE-2019-8450 [MEDIUM] CWE-79 CVE-2019-8450: Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 b Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a custom field.

CVE-2019-14995 [MEDIUM] CWE-863 CVE-2019-14995: The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to The /rest/api/1.0/render resource in Jira before version 8.4.0 allows remote anonymous attackers to determine if an attachment with a specific name exists and if an issue key is valid via a missing permissions check.

CVE-2019-14996 [MEDIUM] CWE-79 CVE-2019-14996: The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and from version 8.0.0 before ver The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter.

CVE-2019-8445 [MEDIUM] CWE-863 CVE-2019-8445: Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check.

CVE-2019-8447 [MEDIUM] CWE-352 CVE-2019-8447: The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the cre The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability.

CVE-2019-11586 [MEDIUM] CWE-352 CVE-2019-11586: The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2 The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions via a Cross-site request forgery (CSRF) vulnerability.

CVE-2019-11585 [MEDIUM] CWE-601 CVE-2019-11585: The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and The startup.jsp resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect.

CVE-2019-11588 [MEDIUM] CWE-352 CVE-2019-11588: The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0. The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trigger garbage collection via a Cross-site request forgery (CSRF) vulnerability.

CVE-2019-8446 [MEDIUM] CWE-863 CVE-2019-8446: The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enu The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check.

CVE-2019-11587 [MEDIUM] CWE-352 CVE-2019-11587: Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify various settings via Cross-site request forgery (CSRF).

CVE-2019-11589 [MEDIUM] CWE-601 CVE-2019-11589: The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before versio The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability.

CVE-2019-8444 [MEDIUM] CWE-79 CVE-2019-8444: The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3. The wikirenderer component in Jira before version 7.13.6, and from version 8.0.0 before version 8.3.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in image attribute specification.

CVE-2019-8448 [MEDIUM] CVE-2019-8448: The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 al The login.jsp resource in Jira before version 7.13.4, and from version 8.0.0 before version 8.2.2 allows remote attackers to enumerate usernames via an information disclosure vulnerability.

CVE-2019-11581 [CRITICAL] CWE-74 CVE-2019-11581: There was a server-side template injection vulnerability in Jira Server and Data Center, in the Cont There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 befo

CVE-2019-8442 [HIGH] CVE-2019-8442: The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 b The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check.

CVE-2019-8443 [HIGH] CWE-287 CVE-2019-8443: The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, an The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to re-authenticate to pass "WebSudo" through an improper access contro

CVE-2019-3402 [MEDIUM] CWE-79 CVE-2019-3402: The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before v The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter.

CVE-2019-3403 [MEDIUM] CWE-863 CVE-2019-3403: The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before v The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.

CVE-2019-3401 [MEDIUM] CWE-863 CVE-2019-3401: The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.

CVE-2019-3400 [MEDIUM] CWE-79 CVE-2019-3400: The labels gadget in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows The labels gadget in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jql parameter.