Uploaded image for project: 'Confluence'
  1. Confluence
  2. CONF-21766

XSS vulnerability in the action links of Confluence's attachments lists.

    Details

    • Last commented by user?:
      true

      Description

      We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected.

      XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

      This issue is reported in our security advisory on this page:
      https://confluence.atlassian.com/x/MgCzDQ

      The page also includes detailed patch instructions.

        Activity

        ggaskell Giles Gaskell [Atlassian] created issue -
        ggaskell Giles Gaskell [Atlassian] made changes -
        Field Original Value New Value
        Summary XSS vulnerability in Attachments table action links XSS vulnerability in the action links of Confluence's attachments lists.
        Description We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments view.

        XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

        * cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
        * The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

        This issue is reported in our security advisory on this page:
        http://confluence.atlassian.com/x/MgCzDQ
        We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists.

        XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

        * cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
        * The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

        This issue is reported in our security advisory on this page:
        http://confluence.atlassian.com/x/MgCzDQ
        ggaskell Giles Gaskell [Atlassian] made changes -
        Assignee Vitaly Osipov [Atlassian] [ vosipov ]
        ggaskell Giles Gaskell [Atlassian] made changes -
        Link This issue duplicates CONF-21537 [ CONF-21537 ]
        ssaasen Stefan Saasen made changes -
        ssaasen Stefan Saasen made changes -
        Affects Version/s 3.4 [ 15371 ]
        Affects Version/s 3.3 [ 15087 ]
        Affects Version/s 3.2 [ 14963 ]
        Affects Version/s 3.1 [ 14522 ]
        Affects Version/s 3.0 [ 14150 ]
        Affects Version/s 2.9 [ 13691 ]
        Affects Version/s 2.8 [ 13414 ]
        Affects Version/s 2.7 [ 13115 ]
        vchoy Vincent Choy made changes -
        Labels bugfix_support_backlog
        vchoy Vincent Choy made changes -
        Labels bugfix_support_backlog bugfix_support_backlog security
        vchoy Vincent Choy made changes -
        Status New [ 10034 ] Open [ 1 ]
        vosipov Vitaly Osipov [Atlassian] made changes -
        Summary XSS vulnerability in the action links of Confluence's attachments lists. Advisory: XSS vulnerability in the action links of Confluence's attachments lists.
        vosipov Vitaly Osipov [Atlassian] made changes -
        Summary Advisory: XSS vulnerability in the action links of Confluence's attachments lists. XSS vulnerability in the action links of Confluence's attachments lists.
        Labels bugfix_support_backlog security advisory security
        vosipov Vitaly Osipov [Atlassian] made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        vosipov Vitaly Osipov [Atlassian] made changes -
        Description We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists.

        XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

        * cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
        * The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

        This issue is reported in our security advisory on this page:
        http://confluence.atlassian.com/x/MgCzDQ
        We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected.

        XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

        * cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
        * The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

        This issue is reported in our security advisory on this page:
        http://confluence.atlassian.com/x/MgCzDQ

        The page also includes detailed patch instructions.
        vosipov Vitaly Osipov [Atlassian] made changes -
        Security Developers and Reporter Only [ 10040 ]
        matt@atlassian.com Matt Ryall [Atlassian] made changes -
        Workflow Conf Bug Quality Review WorkFlow [ 277813 ] Confluence Bug Workflow [ 335318 ]
        akazatchkov.adm Anatoli Kazatchkov [Administrative Account] made changes -
        Workflow Confluence Bug Workflow [ 335318 ] New Confluence Default Workflow [ 471341 ]
        dblack David Black made changes -
        Description We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected.

        XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

        * cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
        * The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

        This issue is reported in our security advisory on this page:
        http://confluence.atlassian.com/x/MgCzDQ

        The page also includes detailed patch instructions.
        We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected.

        XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

        * cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
        * The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

        This issue is reported in our security advisory on this page:
        https://confluence.atlassian.com/x/MgCzDQ

        The page also includes detailed patch instructions.
        jsoderstrom Jonas Soderstrom [Atlassian] made changes -
        Component/s Editor [ 38090 ]
        Component/s Attachments [ 10323 ]

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Last commented:
              4 years, 23 weeks, 1 day ago