Confluence
  1. Confluence
  2. CONF-21766

XSS vulnerability in the action links of Confluence's attachments lists.

    Details

    • Last commented by user?:
      false

      Description

      We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected.

      XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

      This issue is reported in our security advisory on this page:
      https://confluence.atlassian.com/x/MgCzDQ

      The page also includes detailed patch instructions.

      1. confluence-attachments-plugin-2.20.jar
        505 kB
        Stefan Saasen [Atlassian]

        Activity

        Giles Gaskell [Atlassian] created issue -
        Giles Gaskell [Atlassian] made changes -
        Field Original Value New Value
        Summary XSS vulnerability in Attachments table action links XSS vulnerability in the action links of Confluence's attachments lists.
        Description We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments view.

        XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

        * cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
        * The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

        This issue is reported in our security advisory on this page:
        http://confluence.atlassian.com/x/MgCzDQ
        We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists.

        XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

        * cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
        * The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

        This issue is reported in our security advisory on this page:
        http://confluence.atlassian.com/x/MgCzDQ
        Giles Gaskell [Atlassian] made changes -
        Assignee Vitaly Osipov [Atlassian] [ vosipov ]
        Giles Gaskell [Atlassian] made changes -
        Link This issue duplicates CONF-21537 [ CONF-21537 ]
        Stefan Saasen [Atlassian] made changes -
        Stefan Saasen [Atlassian] made changes -
        Affects Version/s 3.4 [ 15371 ]
        Affects Version/s 3.3 [ 15087 ]
        Affects Version/s 3.2 [ 14963 ]
        Affects Version/s 3.1 [ 14522 ]
        Affects Version/s 3.0 [ 14150 ]
        Affects Version/s 2.9 [ 13691 ]
        Affects Version/s 2.8 [ 13414 ]
        Affects Version/s 2.7 [ 13115 ]
        Vincent Choy [Atlassian] made changes -
        Labels bugfix_support_backlog
        Vincent Choy [Atlassian] made changes -
        Labels bugfix_support_backlog bugfix_support_backlog security
        Vincent Choy [Atlassian] made changes -
        Status New [ 10034 ] Open [ 1 ]
        Vitaly Osipov [Atlassian] made changes -
        Summary XSS vulnerability in the action links of Confluence's attachments lists. Advisory: XSS vulnerability in the action links of Confluence's attachments lists.
        Vitaly Osipov [Atlassian] made changes -
        Summary Advisory: XSS vulnerability in the action links of Confluence's attachments lists. XSS vulnerability in the action links of Confluence's attachments lists.
        Labels bugfix_support_backlog security advisory security
        Vitaly Osipov [Atlassian] made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Vitaly Osipov [Atlassian] made changes -
        Description We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists.

        XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

        * cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
        * The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

        This issue is reported in our security advisory on this page:
        http://confluence.atlassian.com/x/MgCzDQ
        We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected.

        XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

        * cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
        * The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

        This issue is reported in our security advisory on this page:
        http://confluence.atlassian.com/x/MgCzDQ

        The page also includes detailed patch instructions.
        Vitaly Osipov [Atlassian] made changes -
        Security Developers and Reporter Only [ 10040 ]
        Matt Ryall [Atlassian] made changes -
        Workflow Conf Bug Quality Review WorkFlow [ 277813 ] Confluence Bug Workflow [ 335318 ]
        Anatoli Kazatchkov [Administrative Account] made changes -
        Workflow Confluence Bug Workflow [ 335318 ] New Confluence Default Workflow [ 471341 ]
        David Black [Atlassian] made changes -
        Description We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected.

        XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

        * cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
        * The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

        This issue is reported in our security advisory on this page:
        http://confluence.atlassian.com/x/MgCzDQ

        The page also includes detailed patch instructions.
        We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected.

        XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

        * cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
        * The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

        This issue is reported in our security advisory on this page:
        https://confluence.atlassian.com/x/MgCzDQ

        The page also includes detailed patch instructions.

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Last commented:
              3 years, 5 weeks ago