[CONFSERVER-13713] Attachments macro has XSS vulnerability - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 2.10
Affects Version/s: 2.8, 2.8.1, 2.8.2, 2.9, 2.9.1, 2.9.2
Component/s: Editor - Page / Comment Editor
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

After listening to Chris' security talk yesterday, I played around with areas of Confluence I am familiar with and I found a vulnerability in the attachments macro. You can create an attachment name with <script> tags and run script on a page that displays the attachment macro. The Attachments screen doesn't have this vulnerability.

Assignee:: RyanA

Reporter:: RyanA

Affected customers:: 0 This affects my team

Watchers:: 0 Start watching this issue

Created:: 13/Nov/2008 11:24 PM

Updated:: 11/Oct/2018 8:57 AM

Resolved:: 24/Nov/2008 6:26 AM

Details

Description

Attachments

Forms

Activity

People

Dates