-
Bug
-
Resolution: Fixed
-
Medium
-
2.8
-
None
Referrer URLs are not encoded in viewinfo.vm
- causes
-
-
- Closed
-
[CONFSERVER-11524] XSS vulnerability in viewinfo.action
Patch Instructions for 2.7.x and 2.8.0 users
- Shutdown Confluence
- Create the following directories com/atlassian/confluence/pages/actions in your confluence/WEB-INF/classes directory.
- Copy the attached PageInfoAction.class to confluence/WEB-INF/classes/com/atlassian/confluence/pages/actions
- Copy the attached viewinfo.vm to confluence/pages
- Startup Confluence
It is possible to remove a referrer under Administration Console - > Manage Referrers by purging referrers with a particular prefix.
It is also possible not to show referrers in page info by disabling it under Administration Console - > Manage Referrers