Two well-known but still exploitable RCE vulnerabilities in Atlassian products: CVE-2019-11581 in Jira's ContactAdministrators form via Java expression injection, and CVE-2019-3396 in Confluence's Widget Connector macro allowing arbitrary file access and command execution via the _template parameter. The article provides step-by-step exploitation techniques with proof-of-concept payloads.
A researcher discovered an SSRF vulnerability in a Jira instance and escalated it to local file read by chaining it with an internal GlassFish server exploit using double-URL encoding to bypass path traversal protections and read /etc/passwd.
A bug bounty hunter discovered an SSRF vulnerability in JIRA 5.8.13 via the oauth/users/icon-uri endpoint and escalated it to XSS by injecting an SVG payload (poc.svg) that executed client-side JavaScript.
Researcher discovered an SSRF vulnerability in an outdated Jira instance that allowed Server-Side Request Forgery via the oauth/users/icon-uri endpoint, which was then chained to deliver XSS payloads by hosting malicious HTML and bypassing firewall protections. The vulnerability affected multiple high-profile organizations including European Commission, Motorola Solution, and several universities.