Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-13040

Stored XSS in wiki macro search

XMLWordPrintable

      Creating a page/comment etc with the following wiki-markup macro will render javascript on the page for anybody visiting this page

      {search:query=<script>alert(document.cookie)</script>}

      IMPORTANT: please confirm receipt of this notification! Depending on the response, we may report the
      vulnerability to publicly available security forums such as CERT (www.cert.org). Our policy is to give
      you at least 30 days grace period prior to any public disclosure.

        1. search.vm
          0.7 kB
        2. search.vm.2.8.2
          0.7 kB
        3. search.vm-2.7.3
          0.7 kB

            [CONFSERVER-13040] Stored XSS in wiki macro search

            Said made changes -
            Labels Original: XSS affects-server macro search searching/indexing security New: XSS affects-server macro search searching/indexing security sxss
            Katherine Yabut made changes -
            Workflow Original: JAC Bug Workflow v3 [ 2898920 ] New: CONFSERVER Bug Workflow v4 [ 2993390 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow v2 [ 2791587 ] New: JAC Bug Workflow v3 [ 2898920 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow [ 2721513 ] New: JAC Bug Workflow v2 [ 2791587 ]
            Owen made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2384807 ] New: JAC Bug Workflow [ 2721513 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 2280058 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2384807 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2221237 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 2280058 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2163998 ] New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2221237 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 1920295 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2163998 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v3 [ 1730154 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 1920295 ]

              bnguyen Brian Nguyen (Inactive)
              9454181e1678 Thomas Jaehnel
              Affected customers:
              0 This affects my team
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: