[CONFSERVER-14753] XSS vulnerability can be exploited with the Page Index macro - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 2.10.3
Affects Version/s: 2.10
Component/s: Editor - Page / Comment Editor
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Use the following markup on a page:

text
{noformat}><script>alert('XSS')</script><b a=a{noformat}

On another page in the same space, use the

{index}

macro. When this page is loaded by a user, the script will run.

See here for a working example on QA-CAC.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

confluence-advanced-macros-1.4.2.1-patched.jar
115 kB
15/Apr/2009 12:58 AM
xss-fix.patch
5 kB
29/Apr/2009 12:22 AM

is duplicated by

CONFSERVER-6990 Javascript in wiki page executed by {index}

Closed

Assignee:: Andrew Lynch (Inactive)

Reporter:: Mark Hrynczak (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 03/Mar/2009 4:12 AM

Updated:: 11/Oct/2018 8:52 AM

Resolved:: 01/Apr/2009 12:01 AM