-
Bug
-
Resolution: Fixed
-
High
-
2.7
-
None
We have identified and fixed a cross-site scripting (XSS) vulnerability in the Confluence
{doc}macro.
XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:
- cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
- The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting
This issue is reported in our security advisory on this page:
http://confluence.atlassian.com/x/HgdrDQ
[CONFSERVER-21508] XSS vulnerability in Documentation Link macro
Dave
added a comment - Will we get a separate fix for 3.2 or the current fix can be used? 
HengHwa Loi [Atlassian]
added a comment - Tested 1.9.2 on 3.1.2, it works!! I have attached version 1.9.2
of the Advanced Macros plugin which fixes this issue, and has been tested to work with Confluence 3.3.x.
I have attached version 1.12.3 of the Advanced Macros Plugin that fixes this issue. It has been tested to be compatible with Confluence 3.4 and newer.
Please note that we have released multiple advisories about Confluence 3.2 or later, the earliest advisory - http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-05-04. We recommend that you review them and decide whether you can upgrade to a more recent version of the product or apply external security controls if you cannot. Most of the vulnerabilities are not critical and often present less risk when used in a corporate environment with no access from the Internet.
We usually provide patches only for critical severity (= really bad) vulnerabilities as a stop-gap measure until you can upgrade, and you should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative - we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend to upgrade to the most recent version regularly.