From: OFFCONN-81:

Using "office excel"-macro (as part of viewfile, which is part of office connector plugin) seems to open up the possibility to get injected with XSS-code.

Steps to reproduce:

1.) Create an excel-file with following content in one cell:

'"><script>alert('XSS')</script><

2.) Attach this file to a confluence page

3.) Go into edit mode

4.) Use the "office excel" macro and choose the excel file

5.) Click "save"

Result:

An XSS-message appears