Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-21390

XSS vulnerability in Bookmarks macro

XMLWordPrintable

      We have identified and fixed a cross-site scripting (XSS) vulnerability in the Confluence

      {bookmarks}

      macro.

      XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

      This issue is reported in our security advisory on this page:
      http://confluence.atlassian.com/x/HgdrDQ

        1. socialbookmarking-1.3.4.jar
          76 kB

            [CONFSERVER-21390] XSS vulnerability in Bookmarks macro

            VitalyA added a comment -

            Please note that we have released multiple advisories about Confluence 3.2 or later, the earliest advisory - http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-05-04. We recommend that you review them and decide whether you can upgrade to a more recent version of the product or apply external security controls if you cannot. Most of the vulnerabilities are not critical and often present less risk when used in a corporate environment with no access from the Internet.

            We usually provide patches only for critical severity (= really bad) vulnerabilities as a stop-gap measure until you can upgrade, and you should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative - we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend to upgrade to the most recent version regularly.

            VitalyA added a comment - Please note that we have released multiple advisories about Confluence 3.2 or later, the earliest advisory - http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-05-04 . We recommend that you review them and decide whether you can upgrade to a more recent version of the product or apply external security controls if you cannot. Most of the vulnerabilities are not critical and often present less risk when used in a corporate environment with no access from the Internet. We usually provide patches only for critical severity (= really bad) vulnerabilities as a stop-gap measure until you can upgrade, and you should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative - we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend to upgrade to the most recent version regularly.

            Dave added a comment - - edited

            Will we get a separate fix for 3.2 or the current fix can be used?

            Dave added a comment - - edited Will we get a separate fix for 3.2 or the current fix can be used?

            dan pritts added a comment -

            For ease of patching it would be convenient to list here where the file should be installed. Thanks.

            dan pritts added a comment - For ease of patching it would be convenient to list here where the file should be installed. Thanks.

            HengHwa Loi [Atlassian] added a comment -

            Works on 3.1.2

            HengHwa Loi [Atlassian] added a comment - Works on 3.1.2

            uvoellger added a comment -

            Any information about 3.3.1?
            Thanks

            uvoellger added a comment - Any information about 3.3.1? Thanks

            Matthew Erickson added a comment -

            I have attached version 1.3.4 of the Social Bookmarking Plugin that fixes this issue. It has been tested to be compatible with Confluence 3.3.2 and newer.

            Matthew Erickson added a comment - I have attached version 1.3.4 of the Social Bookmarking Plugin that fixes this issue. It has been tested to be compatible with Confluence 3.3.2 and newer.

              Unassigned Unassigned
              smaddox SarahA
              Affected customers:
              0 This affects my team
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: