Atlassian Jira Server And Data Center vulnerabilities

CVE-2021-43942 [MEDIUM] CWE-79 CVE-2021-43942: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrar Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (XSS) vulnerability in the /rest/collectors/1.0/template/custom endpoint. To exploit this issue, the attacker must trick a user into visiting a malicious website. The affected versions are befor

CVE-2020-14167 [HIGH] CVE-2020-14167: The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application's availability via an Denial of Service (DoS) vulnerability.

CVE-2020-4025 [MEDIUM] CWE-79 CVE-2020-4025: The attachment download resource in Atlassian Jira Server and Data Center The attachment download re The attachment download resource in Atlassian Jira Server and Data Center The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a

CVE-2020-14164 [MEDIUM] CWE-79 CVE-2020-14164: The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attack The WYSIWYG editor resource in Jira Server and Data Center before version 8.8.2 allows remote attackers to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by pasting javascript code into the editor field.

CVE-2020-4022 [MEDIUM] CWE-79 CVE-2020-4022: The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6 The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a mixed multipart content type.

CVE-2020-4029 [MEDIUM] CVE-2020-4029: The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center befor The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability.

CVE-2020-4024 [MEDIUM] CWE-79 CVE-2020-4024: The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6 The attachment download resource in Atlassian Jira Server and Data Center before 8.5.5, and from 8.6.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability issue attachments with a vnd.wap.xhtml+xml content type.

CVE-2020-14165 [MEDIUM] CVE-2020-14165: The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability.

CVE-2020-14168 [MEDIUM] CVE-2020-14168: The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, fro The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability.

CVE-2020-14169 [MEDIUM] CWE-79 CVE-2020-14169: The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attac The quick search component in Atlassian Jira Server and Data Center before 8.9.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability

CVE-2020-4028 [MEDIUM] CWE-203 CVE-2020-4028: Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthe Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability.

CVE-2020-4021 [MEDIUM] CWE-79 CVE-2020-4021: Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data C Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view.

CVE-2019-20105 [MEDIUM] CWE-306 CVE-2019-20105: The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, fro The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator's session to access

CVE-2019-20106 [MEDIUM] CWE-276 CVE-2019-20106: Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 befor Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug.

CVE-2019-11581 [CRITICAL] CWE-74 CVE-2019-11581: There was a server-side template injection vulnerability in Jira Server and Data Center, in the Cont There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 befo