Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-21819

XSS vulnerability in Table of Contents (toc) macro

XMLWordPrintable

      We have identified and fixed a cross-site scripting (XSS) vulnerability in the Confluence {toc} macro. All versions from 2.9 to 3.4.8 are affected.

      XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

      This issue is reported in our security advisory on this page:
      https://confluence.atlassian.com/x/MgCzDQ

      The page also includes detailed patch instructions.

        1. toc-plugin-2.4.12.jar
          150 kB

            [CONFSERVER-21819] XSS vulnerability in Table of Contents (toc) macro

            VitalyA added a comment -

            We recommend to upgrade the product, there have been several other vulnerabilities discovered in 3.0 and above, see http://confluence.atlassian.com/display/DOC/Confluence+Security#ConfluenceSecurity-PublishedSecurityAdvisories

            While this plugin may work in other versions of Confluence due to software modularity, you probably still have other vulnerabilities not fixed.

            VitalyA added a comment - We recommend to upgrade the product, there have been several other vulnerabilities discovered in 3.0 and above, see http://confluence.atlassian.com/display/DOC/Confluence+Security#ConfluenceSecurity-PublishedSecurityAdvisories While this plugin may work in other versions of Confluence due to software modularity, you probably still have other vulnerabilities not fixed.

            Jonas Sundman added a comment -

            This version loads and works in version 3.0.2, too.

            Jonas Sundman added a comment - This version loads and works in version 3.0.2, too.

            Sven Hessler added a comment -

            Is there a fix for confluence 3.2.1_01 available?

            Sven Hessler added a comment - Is there a fix for confluence 3.2.1_01 available?

            Giles Gaskell [Atlassian] added a comment - - edited

            To apply this fix, use the plugin manager to upgrade the Table of Contents Plugin plugin to a version greater than or equal to that specified in the name of the attached file above.

            For details on upgrading Confluence's plugins using the plugin manager, see:

            Giles Gaskell [Atlassian] added a comment - - edited To apply this fix, use the plugin manager to upgrade the Table of Contents Plugin plugin to a version greater than or equal to that specified in the name of the attached file above. For details on upgrading Confluence's plugins using the plugin manager, see: Upgrading your Existing Plugins (for Confluence 3.4.x) or Installing and Configuring Plugins using the Plugin Repository Client (for Confluence 3.3.x).

            Stefan Saasen (Inactive) added a comment -

            I have attached version 2.4.12 of the TOC macro plugin which fixes this issue, and has been tested to work with Confluence 3.3.x and 3.4.x.

            Please use the (Universal) plugin manager to upgrade the bundled version of this plugin.

            Stefan Saasen (Inactive) added a comment - I have attached version 2.4.12 of the TOC macro plugin which fixes this issue, and has been tested to work with Confluence 3.3.x and 3.4.x. Please use the (Universal) plugin manager to upgrade the bundled version of this plugin.

              vosipov VitalyA
              smaddox SarahA
              Affected customers:
              0 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: