Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-21766

XSS vulnerability in the action links of Confluence's attachments lists.

XMLWordPrintable

      We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected.

      XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

      This issue is reported in our security advisory on this page:
      https://confluence.atlassian.com/x/MgCzDQ

      The page also includes detailed patch instructions.

        1. confluence-attachments-plugin-2.20.jar
          505 kB

            [CONFSERVER-21766] XSS vulnerability in the action links of Confluence's attachments lists.

            VitalyA added a comment -

            We recommend to upgrade the product, there have been several other vulnerabilities discovered in 3.0 and above, see http://confluence.atlassian.com/display/DOC/Confluence+Security#ConfluenceSecurity-PublishedSecurityAdvisories

            VitalyA added a comment - We recommend to upgrade the product, there have been several other vulnerabilities discovered in 3.0 and above, see http://confluence.atlassian.com/display/DOC/Confluence+Security#ConfluenceSecurity-PublishedSecurityAdvisories

            Andreas Hartmann added a comment -

            Is there a fix for confluence 3.0.2 available?

            Andreas Hartmann added a comment - Is there a fix for confluence 3.0.2 available?

            Sven Hessler added a comment -

            Is there a fix for confluence 3.2.1_01 available?

            Sven Hessler added a comment - Is there a fix for confluence 3.2.1_01 available?

            Giles Gaskell [Atlassian] added a comment - - edited

            To apply this fix, use the plugin manager to upgrade the Confluence Attachments Plugin plugin to a version greater than or equal to that specified in the name of the attached file above.

            For details on upgrading Confluence's plugins using the plugin manager, see:

            Giles Gaskell [Atlassian] added a comment - - edited To apply this fix, use the plugin manager to upgrade the Confluence Attachments Plugin plugin to a version greater than or equal to that specified in the name of the attached file above. For details on upgrading Confluence's plugins using the plugin manager, see: Upgrading your Existing Plugins (for Confluence 3.4.x) or Installing and Configuring Plugins using the Plugin Repository Client (for Confluence 3.3.x).

            Stefan Saasen (Inactive) added a comment -

            Attached confluence-attachments-plugin-2.20.jar which can be used to fix this issue in Confluence 3.3 and 3.4.

            Please use the plugin manager in the admin console to upload the updated version of the attachments plugin.

            Stefan Saasen (Inactive) added a comment - Attached confluence-attachments-plugin-2.20.jar which can be used to fix this issue in Confluence 3.3 and 3.4. Please use the plugin manager in the admin console to upload the updated version of the attachments plugin.

              vosipov VitalyA
              ggaskell Giles Gaskell [Atlassian]
              Affected customers:
              0 This affects my team
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: