Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Jira_server
(Atlassian)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 133 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-08-23 | CVE-2019-11589 | The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability. | Jira_server | 6.1 | ||
| 2019-08-23 | CVE-2019-8445 | Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check. | Jira_server | 5.3 | ||
| 2019-08-23 | CVE-2019-8447 | The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability. | Jira_server | 4.3 | ||
| 2019-09-11 | CVE-2019-14996 | The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter. | Jira_server | 6.1 | ||
| 2019-09-11 | CVE-2019-14997 | The AccessLogFilter class in Jira before version 8.4.0 allows remote anonymous attackers to learn details about other users, including their username, via an information expose through caching vulnerability when Jira is configured with a reverse Proxy and or a load balancer with caching or a CDN. | Jira_server | 4.3 | ||
| 2019-09-11 | CVE-2019-8450 | Various templates of the Optimization plugin in Jira before version 7.13.6, and from version 8.0.0 before version 8.4.0 allow remote attackers who have permission to manage custom fields to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a custom field. | Jira_server | 4.8 | ||
| 2019-12-18 | CVE-2019-15013 | The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorisation check. | Jira, Jira_server | 4.3 | ||
| 2020-02-06 | CVE-2019-20400 | The usage of Tomcat in Jira before version 8.5.2 allows local attackers with permission to write a dll file to a directory in the global path environmental variable can inject code into via a DLL hijacking vulnerability. | Jira_server | 7.8 | ||
| 2020-02-06 | CVE-2019-20401 | Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery (CSRF) vulnerabilities. | Jira_server | 6.5 | ||
| 2020-07-13 | CVE-2019-20901 | The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter. | Jira, Jira_server | 6.1 |