Atlassian Jira Server vulnerabilities

CVE-2019-3399 [HIGH] CWE-863 CVE-2019-3399: The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before versio The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check.

CVE-2018-20239 [MEDIUM] CWE-79 CVE-2018-20239: Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a pl

CVE-2018-13404 [MEDIUM] CWE-918 CVE-2018-13404: The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 b The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.

CVE-2018-20232 [MEDIUM] CWE-79 CVE-2018-20232: The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before versi The labels widget gadget in Atlassian Jira before version 7.6.11 and from version 7.7.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the rendering of retrieved content from a url location that could be manipulated by the up_projectid widget preference setting.

CVE-2018-13403 [MEDIUM] CWE-79 CVE-2018-13403: The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7 The two-dimensional filter statistics gadget in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.12.4, and from version 7.13.0 before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a saved filter when displayed on a Jira dashboard.

CVE-2018-13400 [MEDIUM] CWE-269 CVE-2018-13400: Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before v Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1

CVE-2018-13401 [MEDIUM] CWE-601 CVE-2018-13401: The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before versi The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allo

CVE-2018-13402 [MEDIUM] CWE-601 CVE-2018-13402: Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attac

CVE-2018-13391 [MEDIUM] CWE-200 CVE-2018-13391: The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before v The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote attackers who can access & view an issue to obtain th

CVE-2018-13395 [MEDIUM] CWE-79 CVE-2018-13395: Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, f Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerab

CVE-2017-18104 [MEDIUM] CWE-200 CVE-2017-18104: The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should not be sent because they are not contained within the results of a specified JQL query.

CVE-2018-5232 [MEDIUM] CWE-79 CVE-2018-5232: The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before ver The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuetype parameter.

CVE-2018-13387 [MEDIUM] CVE-2018-13387: The IncomingMailServers resource in Atlassian JIRA Server before version 7.6.7, from version 7.7.0 b The IncomingMailServers resource in Atlassian JIRA Server before version 7.6.7, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3 and from version 7.10.0 before version 7.10.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability i

CVE-2018-5231 [HIGH] CVE-2018-5231: The ForgotLoginDetails resource in Atlassian Jira before version 7.6.6, from version 7.7.0 before ve The ForgotLoginDetails resource in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to perform a denial of service attack via sending requests to it.

CVE-2018-5230 [MEDIUM] CWE-79 CVE-2018-5230: The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the error message of custom fields when an invalid value

CVE-2017-18102 [MEDIUM] CWE-79 CVE-2017-18102: The wiki markup component of atlassian-renderer from version 8.0.0 before version 8.0.22 allows remo The wiki markup component of atlassian-renderer from version 8.0.0 before version 8.0.22 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in nested wiki markup.

CVE-2017-18101 [MEDIUM] CWE-284 CVE-2017-18101: Various administrative external system import resources in Atlassian JIRA Server (including JIRA Cor Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permissio

CVE-2017-14594 [MEDIUM] CWE-79 CVE-2017-14594: The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version 7.3.0 before 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jqlQuery query parameter.

CVE-2015-8481 [LOW] CWE-200 CVE-2015-8481: Atlassian JIRA Software 7.0.3, JIRA Core 7.0.3, and the bundled JIRA Service Desk 3.0.3 installer at Atlassian JIRA Software 7.0.3, JIRA Core 7.0.3, and the bundled JIRA Service Desk 3.0.3 installer attaches the wrong image to e-mail notifications when a user views an issue with inline wiki markup referencing an image attachment, which might allow remote attackers to obtain sensitive information by updating a different issue that includes wiki markup fo