Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-21391

XSS vulnerability in Global Reports macro

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Highest Highest
    • 3.4.5
    • 2.7, 2.8, 2.9, 2.10, 3.0, 3.1, 3.2, 3.3, 3.4
    • None

      We have identified and fixed a cross-site scripting (XSS) vulnerability in the Confluence

      {global-reports}

      macro.

      XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

      This issue is reported in our security advisory on this page:
      http://confluence.atlassian.com/x/HgdrDQ

        1. confluence-dashboard-macros-1.13.1.jar
          43 kB
        2. confluence-dashboard-macros-3.4.4.jar
          47 kB

            [CONFSERVER-21391] XSS vulnerability in Global Reports macro

            VitalyA added a comment -

            Please note that we have released multiple advisories about Confluence 3.2 or later, the earliest advisory - http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-05-04. We recommend that you review them and decide whether you can upgrade to a more recent version of the product or apply external security controls if you cannot. Most of the vulnerabilities are not critical and often present less risk when used in a corporate environment with no access from the Internet.

            We usually provide patches only for critical severity (= really bad) vulnerabilities as a stop-gap measure until you can upgrade, and you should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative - we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend to upgrade to the most recent version regularly.

            VitalyA added a comment - Please note that we have released multiple advisories about Confluence 3.2 or later, the earliest advisory - http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-05-04 . We recommend that you review them and decide whether you can upgrade to a more recent version of the product or apply external security controls if you cannot. Most of the vulnerabilities are not critical and often present less risk when used in a corporate environment with no access from the Internet. We usually provide patches only for critical severity (= really bad) vulnerabilities as a stop-gap measure until you can upgrade, and you should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative - we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend to upgrade to the most recent version regularly.

            Dave added a comment -

            Will we get a separate fix for 3.2 or the current fix can be used?

            Dave added a comment - Will we get a separate fix for 3.2 or the current fix can be used?

            HengHwa Loi [Atlassian] added a comment - - edited

            Tested 3.4.4 on Confluence 3.1.2, the following error occurs in the Dashboard:

            Error formatting macro: spaces: java.lang.NoSuchMethodError: com.atlassian.confluence.labels.LabelManager.getTeamLabelsForSpaces(Ljava/util/Collection;)Ljava/util/List;

            Plus the Dashboard does not rendered properly.

            HengHwa Loi [Atlassian] added a comment - - edited Tested 3.4.4 on Confluence 3.1.2, the following error occurs in the Dashboard: Error formatting macro: spaces: java.lang.NoSuchMethodError: com.atlassian.confluence.labels.LabelManager.getTeamLabelsForSpaces(Ljava/util/Collection;)Ljava/util/List; Plus the Dashboard does not rendered properly.

            Radik Kizhnerman added a comment -

            Just wanted to confirm:
            Version 1.13.1 of the Confluence Dashboard Macros plugin works with Confluence 3.3.x, and earlier, correct? If not, what do we do for 3.1, or 3.2 versions of Confluence?
            These should be placed into the plugins folder, same as any other plugin, correct?
            Do we also need to delete the old plugin, or is that not necessary?

            Radik Kizhnerman added a comment - Just wanted to confirm: Version 1.13.1 of the Confluence Dashboard Macros plugin works with Confluence 3.3.x, and earlier, correct? If not, what do we do for 3.1, or 3.2 versions of Confluence? These should be placed into the plugins folder, same as any other plugin, correct? Do we also need to delete the old plugin, or is that not necessary?

            Stefan Saasen (Inactive) added a comment - - edited

            I have attached version 3.4.4 of the Confluence Dashboard Macros plugin which contains the fix for this issue, and has been tested to work with Confluence 3.4.x.

            Stefan Saasen (Inactive) added a comment - - edited I have attached version 3.4.4 of the Confluence Dashboard Macros plugin which contains the fix for this issue, and has been tested to work with Confluence 3.4.x.

            Matthew Erickson added a comment - - edited

            I have attached version 1.13.1 of the Confluence Dashboard Macros plugin which contains the fix for this issue, and has been tested to work with Confluence 3.3.x.

            Matthew Erickson added a comment - - edited I have attached version 1.13.1 of the Confluence Dashboard Macros plugin which contains the fix for this issue, and has been tested to work with Confluence 3.3.x.

              Unassigned Unassigned
              smaddox SarahA
              Affected customers:
              0 This affects my team
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: