• Type: Bug
• Resolution: Fixed
• Priority: Highest
• Fix Version/s: 3.4.5
• Affects Version/s: 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 3.3, 3.4
• Component/s: None
• Labels:

  • affects-server
  • editor
  • security

1. pagetree-1.20.jar

   30 kB

   08/Dec/2010 12:07 AM

[CONFSERVER-21393] XSS vulnerability in Pagetree macro

Collapse comment: VitalyA added a comment - 30/Jan/2011 11:56 PM

VitalyA added a comment - 30/Jan/2011 11:56 PM

Please note that we have released multiple advisories about Confluence 3.2 or later, the earliest advisory - http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-05-04. We recommend that you review them and decide whether you can upgrade to a more recent version of the product or apply external security controls if you cannot. Most of the vulnerabilities are not critical and often present less risk when used in a corporate environment with no access from the Internet.

We usually provide patches only for critical severity (= really bad) vulnerabilities as a stop-gap measure until you can upgrade, and you should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative - we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend to upgrade to the most recent version regularly.

Expand comment: VitalyA added a comment - 30/Jan/2011 11:56 PM

VitalyA added a comment - 30/Jan/2011 11:56 PM Please note that we have released multiple advisories about Confluence 3.2 or later, the earliest advisory - http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-05-04 . We recommend that you review them and decide whether you can upgrade to a more recent version of the product or apply external security controls if you cannot. Most of the vulnerabilities are not critical and often present less risk when used in a corporate environment with no access from the Internet. We usually provide patches only for critical severity (= really bad) vulnerabilities as a stop-gap measure until you can upgrade, and you should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative - we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend to upgrade to the most recent version regularly.

Collapse comment: Dave added a comment - 21/Jan/2011 5:49 AM

Dave added a comment - 21/Jan/2011 5:49 AM

Will we get a separate fix for 3.2 or the current fix can be used?

Expand comment: Dave added a comment - 21/Jan/2011 5:49 AM

Dave added a comment - 21/Jan/2011 5:49 AM Will we get a separate fix for 3.2 or the current fix can be used?

Collapse comment: Mark Hrynczak (Inactive) added a comment - 20/Jan/2011 10:53 PM

Mark Hrynczak (Inactive) added a comment - 20/Jan/2011 10:53 PM

The patch is simply an updated version of the plugin. Details on how to install a plugin for your version are here.

You can also find out about using the pagetree macro here.

Cheers,
Mark

Expand comment: Mark Hrynczak (Inactive) added a comment - 20/Jan/2011 10:53 PM

Mark Hrynczak (Inactive) added a comment - 20/Jan/2011 10:53 PM The patch is simply an updated version of the plugin. Details on how to install a plugin for your version are here . You can also find out about using the pagetree macro here . Cheers, Mark

Collapse comment: AS added a comment - 20/Jan/2011 8:44 PM

AS added a comment - 20/Jan/2011 8:44 PM

Can someone provide the instructions to apply this patch. I am new to confluence and not sure how this will be appplied. BTW I have not seen any file that starts with pagetree* in our environment. We are on 3.3.3.

Expand comment: AS added a comment - 20/Jan/2011 8:44 PM

AS added a comment - 20/Jan/2011 8:44 PM Can someone provide the instructions to apply this patch. I am new to confluence and not sure how this will be appplied. BTW I have not seen any file that starts with pagetree* in our environment. We are on 3.3.3.

Collapse comment: HengHwa Loi [Atlassian] added a comment - 19/Jan/2011 2:56 PM, Edited by HengHwa Loi [Atlassian] - 11/Feb/2011 12:02 PM

HengHwa Loi [Atlassian] added a comment - 19/Jan/2011 2:56 PM - edited

Tested on 3.1.2, it works!

Edit: Did a quick test on this, appear to be working to me, but please be aware that this is contradict with the compatibility matrix.

Expand comment: HengHwa Loi [Atlassian] added a comment - 19/Jan/2011 2:56 PM, Edited by HengHwa Loi [Atlassian] - 11/Feb/2011 12:02 PM

HengHwa Loi [Atlassian] added a comment - 19/Jan/2011 2:56 PM - edited Tested on 3.1.2, it works! Edit: Did a quick test on this, appear to be working to me, but please be aware that this is contradict with the compatibility matrix .

Collapse comment: uvoellger added a comment - 18/Jan/2011 10:29 AM

uvoellger added a comment - 18/Jan/2011 10:29 AM

Any information about 3.3.1?
Thanks

Expand comment: uvoellger added a comment - 18/Jan/2011 10:29 AM

uvoellger added a comment - 18/Jan/2011 10:29 AM Any information about 3.3.1? Thanks

Collapse comment: Eric Dalgliesh added a comment - 30/Dec/2010 12:33 AM

Eric Dalgliesh added a comment - 30/Dec/2010 12:33 AM

https://studio.atlassian.com/browse/JST-3558

Expand comment: Eric Dalgliesh added a comment - 30/Dec/2010 12:33 AM

Eric Dalgliesh added a comment - 30/Dec/2010 12:33 AM https://studio.atlassian.com/browse/JST-3558

Collapse comment: Matthew Erickson added a comment - 08/Dec/2010 12:07 AM, Edited by Stefan Saasen - 11/Jan/2011 4:36 AM

Matthew Erickson added a comment - 08/Dec/2010 12:07 AM - edited

I have attached version 1.20 of the Page Tree plugin, which fixes this issue, and has been tested with Confluence 3.3.2 and newer.

Expand comment: Matthew Erickson added a comment - 08/Dec/2010 12:07 AM, Edited by Stefan Saasen - 11/Jan/2011 4:36 AM

Matthew Erickson added a comment - 08/Dec/2010 12:07 AM - edited I have attached version 1.20 of the Page Tree plugin, which fixes this issue, and has been tested with Confluence 3.3.2 and newer.