Uploaded image for project: 'Confluence'
  1. Confluence
  2. CONF-21766

XSS vulnerability in the action links of Confluence's attachments lists.

    Details

    • Last commented by user?:
      true

      Description

      We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected.

      XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

      This issue is reported in our security advisory on this page:
      https://confluence.atlassian.com/x/MgCzDQ

      The page also includes detailed patch instructions.

        Attachments

          Activity

          ggaskell Giles Gaskell [Atlassian] created issue -
          ggaskell Giles Gaskell [Atlassian] made changes -
          Field Original Value New Value
          Summary XSS vulnerability in Attachments table action links XSS vulnerability in the action links of Confluence's attachments lists.
          Description We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments view.

          XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

          * cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
          * The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

          This issue is reported in our security advisory on this page:
          http://confluence.atlassian.com/x/MgCzDQ
          We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists.

          XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

          * cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
          * The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

          This issue is reported in our security advisory on this page:
          http://confluence.atlassian.com/x/MgCzDQ
          ggaskell Giles Gaskell [Atlassian] made changes -
          Assignee Vitaly Osipov [Atlassian] [ vosipov ]
          ggaskell Giles Gaskell [Atlassian] made changes -
          Link This issue duplicates CONF-21537 [ CONF-21537 ]
          ssaasen Stefan Saasen made changes -
          ssaasen Stefan Saasen made changes -
          Affects Version/s 3.4 [ 15371 ]
          Affects Version/s 3.3 [ 15087 ]
          Affects Version/s 3.2 [ 14963 ]
          Affects Version/s 3.1 [ 14522 ]
          Affects Version/s 3.0 [ 14150 ]
          Affects Version/s 2.9 [ 13691 ]
          Affects Version/s 2.8 [ 13414 ]
          Affects Version/s 2.7 [ 13115 ]
          vchoy Vincent Choy [Atlassian] made changes -
          Labels bugfix_support_backlog
          vchoy Vincent Choy [Atlassian] made changes -
          Labels bugfix_support_backlog bugfix_support_backlog security
          vchoy Vincent Choy [Atlassian] made changes -
          Status New [ 10034 ] Open [ 1 ]
          vosipov Vitaly Osipov [Atlassian] made changes -
          Summary XSS vulnerability in the action links of Confluence's attachments lists. Advisory: XSS vulnerability in the action links of Confluence's attachments lists.
          vosipov Vitaly Osipov [Atlassian] made changes -
          Summary Advisory: XSS vulnerability in the action links of Confluence's attachments lists. XSS vulnerability in the action links of Confluence's attachments lists.
          Labels bugfix_support_backlog security advisory security
          vosipov Vitaly Osipov [Atlassian] made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          vosipov Vitaly Osipov [Atlassian] made changes -
          Description We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists.

          XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

          * cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
          * The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

          This issue is reported in our security advisory on this page:
          http://confluence.atlassian.com/x/MgCzDQ
          We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected.

          XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

          * cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
          * The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

          This issue is reported in our security advisory on this page:
          http://confluence.atlassian.com/x/MgCzDQ

          The page also includes detailed patch instructions.
          vosipov Vitaly Osipov [Atlassian] made changes -
          Security Developers and Reporter Only [ 10040 ]
          matt@atlassian.com Matt Ryall made changes -
          Workflow Conf Bug Quality Review WorkFlow [ 277813 ] Confluence Bug Workflow [ 335318 ]
          akazatchkov.adm Anatoli Kazatchkov [Administrative Account] made changes -
          Workflow Confluence Bug Workflow [ 335318 ] New Confluence Default Workflow [ 471341 ]
          dblack David Black made changes -
          Description We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected.

          XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

          * cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
          * The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

          This issue is reported in our security advisory on this page:
          http://confluence.atlassian.com/x/MgCzDQ

          The page also includes detailed patch instructions.
          We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected.

          XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

          * cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
          * The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

          This issue is reported in our security advisory on this page:
          https://confluence.atlassian.com/x/MgCzDQ

          The page also includes detailed patch instructions.
          jsoderstrom Jonas Soderstrom [Atlassian] made changes -
          Component/s Editor [ 38090 ]
          Component/s Attachments [ 10323 ]
          security-metrics-bot Security Metrics Bot made changes -
          Labels advisory security advisory cvss-high security
          mhrynczak Mark Hrynczak [Atlassian] made changes -
          Workflow New Confluence Default Workflow [ 471341 ] Confluence Cloud First Workflow [ 1111604 ]
          osanico Owen Sanico made changes -
          Workflow Confluence Cloud First Workflow [ 1111604 ] Confluence Cloud First Workflow v2 [ 1218475 ]
          jturnquist Jonah Turnquist [Atlassian] made changes -
          Labels advisory cvss-high security advisory cvss-high plugins security
          jturnquist Jonah Turnquist [Atlassian] made changes -
          Labels advisory cvss-high plugins security advisory cvss-high editor plugins security
          jturnquist Jonah Turnquist [Atlassian] made changes -
          Component/s Security [ 12160 ]
          jturnquist Jonah Turnquist [Atlassian] made changes -
          Component/s Plugins [ 10580 ]
          jturnquist Jonah Turnquist [Atlassian] made changes -
          Component/s Editor [ 38090 ]
          osanico Owen Sanico made changes -
          Workflow Confluence Cloud First Workflow v2 [ 1218475 ] Confluence Cloud First Workflow TEMP [ 1314587 ]
          osanico Owen Sanico made changes -
          Workflow Confluence Cloud First Workflow TEMP [ 1314587 ] Confluence Workflow - Public Facing [ 1354695 ]

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Last commented:
                5 years, 10 weeks, 2 days ago