On the "import word document" page action the name of the confluence page is a persistent xss vector (as it is not encoded).

How to Reproduce:

1. Create a confluence page with the following title

XSS"/><script>alert('XSS')</script>

2. Navigate to the created page
3. Under the tools menu select "Import Word Document"
4. Upload a word document
5. Click "Next"
6. See an alert prompt containing the text 'XSS' within it.