Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 3.4.8
Affects Version/s: 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 3.3, 3.4
Component/s: None
Labels:
- advisory
- affects-server
- cvss-high
- editor
- plugins
- security

We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected.

XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

This issue is reported in our security advisory on this page:
https://confluence.atlassian.com/x/MgCzDQ

The page also includes detailed patch instructions.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

confluence-attachments-plugin-2.20.jar
505 kB
04/Feb/2011 2:36 AM

Assignee:: VitalyA
Reporter:: Giles Gaskell [Atlassian]
Votes:: 0 Vote for this issue
Watchers:: 6 Start watching this issue

Created:: 03/Feb/2011 11:20 PM
Updated:: 11/Oct/2018 9:01 AM
Resolved:: 02/Mar/2011 12:17 AM

Details

Description

Attachments

Attachments

Activity

People

Dates