Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-14753

XSS vulnerability can be exploited with the Page Index macro

      Use the following markup on a page:

      text
      {noformat}><script>alert('XSS')</script><b a=a{noformat}

      On another page in the same space, use the

      {index}

      macro. When this page is loaded by a user, the script will run.

      See here for a working example on QA-CAC.

        1. confluence-advanced-macros-1.4.2.1-patched.jar
          115 kB
          Andrew Lynch
        2. xss-fix.patch
          5 kB
          Andrew Lynch

            [CONFSERVER-14753] XSS vulnerability can be exploited with the Page Index macro

            Mark Nye added a comment -

            We won't be able to get to a newer version of Confluence until later in the summer. Would it be possible to backup this fix to advanced macros version 1.3? I suspect that a lot of folks are still running Confluence 2.8.x.

            best,
            Mark

            Mark Nye added a comment - We won't be able to get to a newer version of Confluence until later in the summer. Would it be possible to backup this fix to advanced macros version 1.3? I suspect that a lot of folks are still running Confluence 2.8.x. best, Mark

            Hi,

            I've provided the source for the diff for version 1.5.3.3, which should be basically the same as the diff for 1.4.2.1.

            I don't think this would be compatible with version 2.8.2, due to major changes in its structure from 2.8 to 2.9.
            It is possible that it might work, but I'm not sure.
            Is an upgrade to 2.9 not an option?

            Regards,
            Andrew Lynch

            Andrew Lynch (Inactive) added a comment - Hi, I've provided the source for the diff for version 1.5.3.3, which should be basically the same as the diff for 1.4.2.1. I don't think this would be compatible with version 2.8.2, due to major changes in its structure from 2.8 to 2.9. It is possible that it might work, but I'm not sure. Is an upgrade to 2.9 not an option? Regards, Andrew Lynch

            Mark Nye added a comment -

            Any chance you could provide a 2.8.2 fix, or will this work with 2.8.2?

            best,
            Mark

            Mark Nye added a comment - Any chance you could provide a 2.8.2 fix, or will this work with 2.8.2? best, Mark

            scayla added a comment -

            Hi,

            Could it be possible to have the source code somewhere or the diff between v1.4.2.1 and the patched one ?
            I cannot see this version in your SVN and as I made some modifications over the 1.4.2.1 version, I would like to apply your modifications to my version.

            Regards,
            Steeve Cayla

            scayla added a comment - Hi, Could it be possible to have the source code somewhere or the diff between v1.4.2.1 and the patched one ? I cannot see this version in your SVN and as I made some modifications over the 1.4.2.1 version, I would like to apply your modifications to my version. Regards, Steeve Cayla

            INSTRUCTIONS FOR PATCHING YOUR SYSTEM

            To fix this issue when running Confluence 2.10, please upgrade to version 1.5.3.3 of Confluence Advanced Macros or higher.

            To fix this issue when running Conlfuence 2.9, please use the attached version 1.4.2.1-patched of Confluence Advanced Macros.

            Regards,
            Andrew Lynch

            Andrew Lynch (Inactive) added a comment - - edited INSTRUCTIONS FOR PATCHING YOUR SYSTEM To fix this issue when running Confluence 2.10, please upgrade to version 1.5.3.3 of Confluence Advanced Macros or higher. To fix this issue when running Conlfuence 2.9, please use the attached version 1.4.2.1-patched of Confluence Advanced Macros. Regards, Andrew Lynch

            Note: Confluence is vulnerable even when Anti-XSS mode is turned on.

            Mark Hrynczak (Inactive) added a comment - Note: Confluence is vulnerable even when Anti-XSS mode is turned on.

              alynch Andrew Lynch (Inactive)
              mhrynczak Mark Hrynczak (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: