There is a persistent XSS vulnerability in the attachment download functionality of Confluence. By uploading a malicious executable file type like SVG (scalable vector graphics with embedded JavaScript), it’s possible for an attacker to execute arbitrary code under the context of the logged in user.

The following screenshot demonstrates this vulnerability being exploited:

It's recommended the attachment handling code have a white list of known good mime-types that can be rendered inline. For everything else, the HTTP headers for content-type and content-disposition should be set to “application/x-download” and “attachment;" respectively.