Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-20670

XSS vulnerability in the Office Connector

    XMLWordPrintable

    Details

      Description

      We have identified and fixed a cross-site scripting (XSS) vulnerability which may affect Confluence instances in a public environment. The XSS vulnerability is exposed in the document import function of the Confluence Office Connector.

      • An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server.
      • XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. An attacker's text and script might be displayed to other people viewing the page. This is potentially damaging to your company's reputation.

      You can read more about XSS attacks at cgisecurity, CERT and other places on the web:

      Please refer to the security advisory for details of the vulnerability, risk assessment and mitigation strategies:
      http://confluence.atlassian.com/x/7ARODQ

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            smaddox SarahA
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: