Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-21606

XSS vulnerability in Activity Stream gadget

XMLWordPrintable

      We have identified and fixed a cross-site scripting (XSS) vulnerability in the Confluence Activity Stream gadget. All versions from 3.1 to 3.4.6 are affected.

      XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

      This issue is reported in our security advisory on this page:
      https://confluence.atlassian.com/x/MgCzDQ

      The page also includes detailed patch instructions.

        1. streams-confluence-plugin-3.3-CONF-21606.jar
          1.54 MB
        2. streams-confluence-plugin-3.4.3.jar
          1.75 MB

            [CONFSERVER-21606] XSS vulnerability in Activity Stream gadget

            Vitaly Burlai added a comment -

            Thanks Tony. I've installed it now.
            This was the last one to patch my Confluence

            Vitaly Burlai added a comment - Thanks Tony. I've installed it now. This was the last one to patch my Confluence

            TonyA added a comment -

            Hi, Vitaly:

            I was able to install the JAR file using the legacy plugin tool. Please see my note above. You should not need any additional JAR files.

            TonyA added a comment - Hi, Vitaly: I was able to install the JAR file using the legacy plugin tool. Please see my note above. You should not need any additional JAR files.

            TonyA added a comment - - edited

            It's currently not possible to upgrade the Activity Streams Plugin automatically using the UPM.
            If you're running Confluence 3.3, you will need to do the following:

            1. Download the 3.3.x plugin JAR file (see the link above)
            2. Install the plugin manually using the "Upload Plugin" link on the "Install" tab of the UPM.

            If you're running Confluence 3.4, you will need to do the following:

            1. Download the plugin JAR file (see the link above).
            2. Open the legacy plugin tool, which can be found at BASE_URL/admin/viewplugins.action. In other words, if your Confluence instance is installed at http://myhost.home/confluence/, the full URL would be http://myhost.com/confluence/admin/viewplugins.action.
            3. Install the downloaded plugin JAR file using the "Choose File" and "Upload" buttons.

            Once you've installed the plugin, you may see an error in the UPM when viewing the plugin. This error doesn't affect the operation of the plugin itself. As long as you can see the updated version information in the legacy plugin manager, the installation was successful.

            TonyA added a comment - - edited It's currently not possible to upgrade the Activity Streams Plugin automatically using the UPM. If you're running Confluence 3.3, you will need to do the following: Download the 3.3.x plugin JAR file (see the link above) Install the plugin manually using the "Upload Plugin" link on the "Install" tab of the UPM. If you're running Confluence 3.4, you will need to do the following: Download the plugin JAR file (see the link above). Open the legacy plugin tool, which can be found at BASE_URL/admin/viewplugins.action. In other words, if your Confluence instance is installed at http://myhost.home/confluence/ , the full URL would be http://myhost.com/confluence/admin/viewplugins.action . Install the downloaded plugin JAR file using the "Choose File" and "Upload" buttons. Once you've installed the plugin, you may see an error in the UPM when viewing the plugin. This error doesn't affect the operation of the plugin itself. As long as you can see the updated version information in the legacy plugin manager, the installation was successful.

            Vitaly Burlai added a comment -

            Hi guys,
            I've tried installing 'streams-confluence-plugin-3.4.3.jar' on Confluence 3.4.2, as Stefan said it should work on 3.4.x.
            I get an error during installation:

              2011-03-24 15:05:49,632 ERROR [pool-7-thread-2] [com.atlassian.upm.PluginInstaller] execute Failed to install plugin

            When I go to plugin manager after that it shows another error for this particular plugin:

              An error was encountered while retrieving plugin details.

            Well, it just spoils the Confluence instance.

            Based on information from here it requires JAXB libs.
            I have 

              jaxb-api-2.1.jar      jaxb-impl-2.1.10.jar

            files in my WEB-INF/lib/ that come with Confluence 3.4.2.

            Which JAXB versions should I put to WEB-INF/lib/ to make it work?

            Regards,
            Vitaly

            Vitaly Burlai added a comment - Hi guys, I've tried installing 'streams-confluence-plugin-3.4.3.jar' on Confluence 3.4.2, as Stefan said it should work on 3.4.x. I get an error during installation: 2011-03-24 15:05:49,632 ERROR [pool-7-thread-2] [com.atlassian.upm.PluginInstaller] execute Failed to install plugin When I go to plugin manager after that it shows another error for this particular plugin: An error was encountered while retrieving plugin details. Well, it just spoils the Confluence instance. Based on information from here it requires JAXB libs. I have jaxb-api-2.1.jar jaxb-impl-2.1.10.jar files in my WEB-INF/lib/ that come with Confluence 3.4.2. Which JAXB versions should I put to WEB-INF/lib/ to make it work? Regards, Vitaly

            Sven Hessler added a comment -

            Is there a version for confluence 3.2.1_01 available?

            Sven Hessler added a comment - Is there a version for confluence 3.2.1_01 available?

            Stefan Saasen (Inactive) added a comment -

            For users of Confluence 3.4.x I have attached streams-confluence-plugin-3.4.3.jar which is an updated version of the Activity Stream gadget that is compatible with Confluence 3.4.x. It can be installed via the universal plugin manager.

            Stefan Saasen (Inactive) added a comment - For users of Confluence 3.4.x I have attached streams-confluence-plugin-3.4.3.jar which is an updated version of the Activity Stream gadget that is compatible with Confluence 3.4.x. It can be installed via the universal plugin manager.

            Giles Gaskell [Atlassian] added a comment - - edited

            To apply this fix, use the plugin manager to upgrade the Confluence Activity Stream Plugin plugin to a version greater than or equal to that specified in the name of the attached file above.

            For details on upgrading Confluence's plugins using the plugin manager, see:

            Giles Gaskell [Atlassian] added a comment - - edited To apply this fix, use the plugin manager to upgrade the Confluence Activity Stream Plugin plugin to a version greater than or equal to that specified in the name of the attached file above. For details on upgrading Confluence's plugins using the plugin manager, see: Upgrading your Existing Plugins (for Confluence 3.4.x) or Installing and Configuring Plugins using the Plugin Repository Client (for Confluence 3.3.x).

            Matthew Erickson added a comment -

            For users of Confluence 3.3 I have attached 'streams-confluence-plugin-3.3-CONF-21606.jar' which is a patched version of the Activity Stream gadget that is compatible with Confluence 3.3. It can be installed via the plugin manager.

            Matthew Erickson added a comment - For users of Confluence 3.3 I have attached 'streams-confluence-plugin-3.3- CONF-21606 .jar' which is a patched version of the Activity Stream gadget that is compatible with Confluence 3.3. It can be installed via the plugin manager.

              vosipov VitalyA
              smaddox SarahA
              Affected customers:
              0 This affects my team
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: