Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-23052:

On version 14.1.x before 14.1.4.4 and all versions of 13.1.x, an open redirect vulnerability exists on virtual servers enabled with a BIG-IP APM access policy. This vulnerability allows an unauthenticated malicious user to build an open redirect URI. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE

Related news

CVE-2021-41310: [JRASERVER-72800] Stored XSS on /secure/admin/AssociatedProjectsForCustomField.jspa - CVE-2021-41310 - Create and track feature requests for Atlassian products.

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1.

CVE-2021-41313: [JRASERVER-72898] Privilege escalation leads unauthorized user to edit email batch configurations - CVE-2021-41313 - Create and track feature requests for Atlassian products.

Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the /secure/admin/ConfigureBatching!default.jspa endpoint. The affected versions are before version 8.21.0.

CVE-2021-41306: [JRASERVER-72915] Anonymous users can view names of private projects and filters via Average Time in Status Gadget - CVE-2021-41306 - Create and track feature requests for Atlassian pr...

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.

CVE-2021-41307: [JRASERVER-72916] Anonymous user can view names of private projects and filters via IDOR in Workload Pie Chart Gadget - CVE-2021-41307 - Create and track feature requests for Atlassian...

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.

CVE-2021-41304: [JRASERVER-72939] Reflected XSS /secure/admin/ImporterFinishedPage.jspa via error message - CVE-2021-41304 - Create and track feature requests for Atlassian products.

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the /secure/admin/ImporterFinishedPage.jspa error message. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.1.

CVE-2021-41305: [JRASERVER-72813] Anonymous user can view private project and filter names via IDOR in Average Number of Times in Status Gadget - CVE-2021-41305 - Create and track feature requests for...

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version 8.13.12..

CVE-2020-14263: Security Bulletin: iOS KeyChain Data Protection vulnerability in MobileIron AppConnect SDK affects HCL Traveler Companion (CVE-2020-14263) - Customer Support

"HCL Traveler Companion is vulnerable to an iOS weak cryptographic process vulnerability via the included MobileIron AppConnect SDK"

CVE-2021-1534: Cisco Email Security Appliance URL Filtering Bypass Vulnerability

A vulnerability in the antispam protection mechanisms of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass the URL reputation filters on an affected device. This vulnerability is due to improper processing of URLs. An attacker could exploit this vulnerability by crafting a URL in a particular way. A successful exploit could allow the attacker to bypass the URL reputation filters that are configured for an affected device, which could allow malicious URLs to pass through the device.

CVE-2021-23053:

On version 15.1.x before 15.1.3, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6, when the brute force protection feature of BIG-IP Advanced WAF or BIG-IP ASM is enabled on a virtual server and the virtual server is under brute force attack, the MySQL database may run out of disk space due to lack of row limit on undisclosed tables in the MYSQL database. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2021-39118: [JRASERVER-72736] User Enumeration via /rest/api/1.0/render endpoint - CVE-2021-39118 - Create and track feature requests for Atlassian products.

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint. The affected versions are before version 8.19.0.

CVE-2019-20101: [JRASERVER-72618] Anonymous users can access the /rest/whitelist/ /check resource - CVE-2019-20101 - Create and track feature requests for Atlassian products.

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view whitelist rules via a Broken Access Control vulnerability in the /rest/whitelist/<version>/check endpoint. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1.

CVE-2019-20101: [JRASERVER-72618] Anonymous users can access the /rest/whitelist/<version>/check resource - CVE-2019-20101 - Create and track feature requests for Atlassian products.

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view whitelist rules via a Broken Access Control vulnerability in the /rest/whitelist/<version>/check endpoint. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1.

CVE-2021-39123: [JRASERVER-72237] Denial of Service via /rest/gadget/1.0/createdVsResolved/generate endpoint - CVE-2021-39123 - Create and track feature requests for Atlassian products.

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the /rest/gadget/1.0/createdVsResolved/generate endpoint. The affected versions are before version 8.16.0.

CVE-2021-26086: [JRASERVER-72695] Limited Remote File Read/Include in Jira Software Server - CVE-2021-26086 - Create and track feature requests for Atlassian products.

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.

CVE-2020-24141: research/CVE-2020-24141.md at main · secwx/research

Server-side request forgery in the WP-DownloadManager plugin 1.68.4 for WordPress lets an attacker send crafted requests from the back-end server of a vulnerable web application via the file_remote parameter to download-add.php. It can help identify open ports, local network hosts and execute command on services

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907