Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-21604

XSS vulnerability in Include Page macro

XMLWordPrintable

      We have identified and fixed a cross-site scripting (XSS) vulnerability in the Confluence {include} macro. All versions from 2.7 to 3.4.6 are affected.

      XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

      This issue is reported in our security advisory on this page:
      https://confluence.atlassian.com/x/MgCzDQ

      The page also includes detailed patch instructions.

        1. confluence-advanced-macros-1.12.4.jar
          196 kB
        2. confluence-advanced-macros-1.9.3.jar
          196 kB

            [CONFSERVER-21604] XSS vulnerability in Include Page macro

            VitalyA added a comment -

            Andreas,

            We recommend to upgrade the product, there have been several other vulnerabilities discovered in 3.0 and above, see http://confluence.atlassian.com/display/DOC/Confluence+Security#ConfluenceSecurity-PublishedSecurityAdvisories

            This specific patch may work, but you still probably have other bugs not patched.

            VitalyA added a comment - Andreas, We recommend to upgrade the product, there have been several other vulnerabilities discovered in 3.0 and above, see http://confluence.atlassian.com/display/DOC/Confluence+Security#ConfluenceSecurity-PublishedSecurityAdvisories This specific patch may work, but you still probably have other bugs not patched.

            VitalyA added a comment -

            Robin,

            This page provides some examples for generic XSS attacks - http://www.cgisecurity.com/xss-faq.html#examples. I'll contact you directly on the topic of testing.

            VitalyA added a comment - Robin, This page provides some examples for generic XSS attacks - http://www.cgisecurity.com/xss-faq.html#examples . I'll contact you directly on the topic of testing.

            Andreas Hartmann added a comment -

            Is there a fix for confluence 3.0.2 available?

            Andreas Hartmann added a comment - Is there a fix for confluence 3.0.2 available?

            Robin Crorie added a comment -

            Hi Guys,

            Please can you provide details on how to exploit this XSS vulnerability so we (Adaptavist) can test our similar macros for this?

            Many Thanks,

            Robin Crorie
            Support Engineer
            Adaptavist

            Robin Crorie added a comment - Hi Guys, Please can you provide details on how to exploit this XSS vulnerability so we (Adaptavist) can test our similar macros for this? Many Thanks, Robin Crorie Support Engineer Adaptavist

            Raphael Joss added a comment -

            Is it save to install Version 1.9.3 in a Confluence 3.2 instance?

            Raphael Joss added a comment - Is it save to install Version 1.9.3 in a Confluence 3.2 instance?

            Giles Gaskell [Atlassian] added a comment -

            To apply this fix, use the plugin manager to upgrade the Advanced Macros plugin to a version greater than or equal to that specified in the name of the attached file above.

            For details on upgrading Confluence's plugins using the plugin manager, see:

            Giles Gaskell [Atlassian] added a comment - To apply this fix, use the plugin manager to upgrade the Advanced Macros plugin to a version greater than or equal to that specified in the name of the attached file above. For details on upgrading Confluence's plugins using the plugin manager, see: Upgrading your Existing Plugins (for Confluence 3.4.x) or Installing and Configuring Plugins using the Plugin Repository Client (for Confluence 3.3.x).

            Stefan Saasen (Inactive) added a comment -

            I have attached version 1.9.3 of the Advanced Macros plugin which fixes this issue, and has been tested to work with Confluence 3.3.3.

            Stefan Saasen (Inactive) added a comment - I have attached version 1.9.3 of the Advanced Macros plugin which fixes this issue, and has been tested to work with Confluence 3.3.3.

            Stefan Saasen (Inactive) added a comment -

            I have attached version 1.12.4 of the Advanced Macros plugin which fixes this issue, and has been tested to work with Confluence 3.4.x.

            Stefan Saasen (Inactive) added a comment - I have attached version 1.12.4 of the Advanced Macros plugin which fixes this issue, and has been tested to work with Confluence 3.4.x.

              vosipov VitalyA
              smaddox SarahA
              Affected customers:
              0 This affects my team
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: