-
Bug
-
Resolution: Fixed
-
Highest
-
2.10
Use the following markup on a page:
text
{noformat}><script>alert('XSS')</script><b a=a{noformat}
On another page in the same space, use the
{index}macro. When this page is loaded by a user, the script will run.
See here for a working example on QA-CAC.
- is duplicated by
-
-
- Closed
-
[CONFSERVER-14753] XSS vulnerability can be exploited with the Page Index macro
Hi,
I've provided the source for the diff for version 1.5.3.3, which should be basically the same as the diff for 1.4.2.1.
I don't think this would be compatible with version 2.8.2, due to major changes in its structure from 2.8 to 2.9.
It is possible that it might work, but I'm not sure.
Is an upgrade to 2.9 not an option?
Regards,
Andrew Lynch
Mark Nye
added a comment - Any chance you could provide a 2.8.2 fix, or will this work with 2.8.2?
best,
Mark
Mark Nye
added a comment - Any chance you could provide a 2.8.2 fix, or will this work with 2.8.2?
best,
Mark Hi,
Could it be possible to have the source code somewhere or the diff between v1.4.2.1 and the patched one ?
I cannot see this version in your SVN and as I made some modifications over the 1.4.2.1 version, I would like to apply your modifications to my version.
Regards,
Steeve Cayla
INSTRUCTIONS FOR PATCHING YOUR SYSTEM
To fix this issue when running Confluence 2.10, please upgrade to version 1.5.3.3 of Confluence Advanced Macros or higher.
To fix this issue when running Conlfuence 2.9, please use the attached version 1.4.2.1-patched of Confluence Advanced Macros.
Regards,
Andrew Lynch
Note: Confluence is vulnerable even when Anti-XSS mode is turned on.
We won't be able to get to a newer version of Confluence until later in the summer. Would it be possible to backup this fix to advanced macros version 1.3? I suspect that a lot of folks are still running Confluence 2.8.x.
best,
Mark