[CONFSERVER-21099] XSS vulnerability in Attachments macro - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 3.4.1
Affects Version/s: 3.3
Component/s: Editor - Page / Comment Editor
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

We have identified and fixed a cross-site scripting (XSS) vulnerability in the Confluence {attachments} macro.

XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

This issue is reported in our security advisory on this page:
http://confluence.atlassian.com/x/HgdrDQ

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

attachments-table.vm.zip
2 kB
25/Oct/2010 2:00 AM
attachments-table.vm-3.4.x.zip
2 kB
11/Jan/2011 2:45 AM

Assignee:: Unassigned

Reporter:: SarahA

Affected customers:: 0 This affects my team

Watchers:: 3 Start watching this issue

Created:: 21/Oct/2010 2:24 AM

Updated:: 11/Oct/2018 9:02 AM

Resolved:: 25/Oct/2010 3:36 AM

Details

Description

Attachments

Attachments

Forms

Activity

People

Dates