Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-11985

XSS vulnerability in create/edit/copy page and blogpost actions

    XMLWordPrintable

    Details

      Description

      The following create/edit page URL's are vulnerable:

      • /pages/createpage.action
      • /pages/docreatepage.action
      • /pages/editpage.action
      • /pages/doeditepage.action

      on parentPageString

      Example of a maliciously crafted path:
      /pages/doeditpage.action?pageId=12345&parentPageString=Home%22%3e%3cscript%3ealert("XSS")%3c%2fscript%3e

      where 12345 is a valid page id.

      Patch instructions for 2.8.x

      1. Shut down Confluence
      2. Copy attached content-editor.vm to confluence/template/custom
      3. Start up Confluence

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              don.willis@atlassian.com Don Willis
              Reporter:
              james.rinker James Rinker
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: