[CONFSERVER-21766] XSS vulnerability in the action links of Confluence's attachments lists. - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 3.4.8
Affects Version/s: 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 3.3, 3.4
Component/s: None
Labels:
- advisory
- affects-server
- cvss-high
- editor
- plugins
- security

Bug Fix Policy:
View Atlassian Server bug fix policy

We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected.

XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

This issue is reported in our security advisory on this page:
https://confluence.atlassian.com/x/MgCzDQ

The page also includes detailed patch instructions.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

confluence-attachments-plugin-2.20.jar
505 kB
04/Feb/2011 2:36 AM

Assignee:: VitalyA

Reporter:: Giles Gaskell [Atlassian]

Affected customers:: 0 This affects my team

Watchers:: 6 Start watching this issue

Created:: 03/Feb/2011 11:20 PM

Updated:: 11/Oct/2018 9:01 AM

Resolved:: 02/Mar/2011 12:17 AM

Details

Description

Attachments

Attachments

Forms

Activity

People

Dates