We have identified and fixed a cross-site scripting (XSS) vulnerability in the Confluence {include} macro. All versions from 2.7 to 3.4.6 are affected.

      XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

      This issue is reported in our security advisory on this page:
      https://confluence.atlassian.com/x/MgCzDQ

      The page also includes detailed patch instructions.

            [CONFSERVER-21604] XSS vulnerability in Include Page macro

            VitalyA added a comment -

            Andreas,

            We recommend to upgrade the product, there have been several other vulnerabilities discovered in 3.0 and above, see http://confluence.atlassian.com/display/DOC/Confluence+Security#ConfluenceSecurity-PublishedSecurityAdvisories

            This specific patch may work, but you still probably have other bugs not patched.

            VitalyA added a comment - Andreas, We recommend to upgrade the product, there have been several other vulnerabilities discovered in 3.0 and above, see http://confluence.atlassian.com/display/DOC/Confluence+Security#ConfluenceSecurity-PublishedSecurityAdvisories This specific patch may work, but you still probably have other bugs not patched.

            VitalyA added a comment -

            Robin,

            This page provides some examples for generic XSS attacks - http://www.cgisecurity.com/xss-faq.html#examples. I'll contact you directly on the topic of testing.

            VitalyA added a comment - Robin, This page provides some examples for generic XSS attacks - http://www.cgisecurity.com/xss-faq.html#examples . I'll contact you directly on the topic of testing.

            Is there a fix for confluence 3.0.2 available?

            Andreas Hartmann added a comment - Is there a fix for confluence 3.0.2 available?

            Hi Guys,

            Please can you provide details on how to exploit this XSS vulnerability so we (Adaptavist) can test our similar macros for this?

            Many Thanks,

            Robin Crorie
            Support Engineer
            Adaptavist

            Robin Crorie added a comment - Hi Guys, Please can you provide details on how to exploit this XSS vulnerability so we (Adaptavist) can test our similar macros for this? Many Thanks, Robin Crorie Support Engineer Adaptavist

            Is it save to install Version 1.9.3 in a Confluence 3.2 instance?

            Raphael Joss added a comment - Is it save to install Version 1.9.3 in a Confluence 3.2 instance?

            To apply this fix, use the plugin manager to upgrade the Advanced Macros plugin to a version greater than or equal to that specified in the name of the attached file above.

            For details on upgrading Confluence's plugins using the plugin manager, see:

            Giles Gaskell [Atlassian] added a comment - To apply this fix, use the plugin manager to upgrade the Advanced Macros plugin to a version greater than or equal to that specified in the name of the attached file above. For details on upgrading Confluence's plugins using the plugin manager, see: Upgrading your Existing Plugins (for Confluence 3.4.x) or Installing and Configuring Plugins using the Plugin Repository Client (for Confluence 3.3.x).

            I have attached version 1.9.3 of the Advanced Macros plugin which fixes this issue, and has been tested to work with Confluence 3.3.3.

            Stefan Saasen (Inactive) added a comment - I have attached version 1.9.3 of the Advanced Macros plugin which fixes this issue, and has been tested to work with Confluence 3.3.3.

            I have attached version 1.12.4 of the Advanced Macros plugin which fixes this issue, and has been tested to work with Confluence 3.4.x.

            Stefan Saasen (Inactive) added a comment - I have attached version 1.12.4 of the Advanced Macros plugin which fixes this issue, and has been tested to work with Confluence 3.4.x.

              vosipov VitalyA
              smaddox SarahA
              Affected customers:
              0 This affects my team
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: