NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

      We have identified and fixed a cross-site scripting (XSS) vulnerability that affect Confluence instances, including publicly available instances (that is, Internet-facing servers). XSS vulnerabilities allow an attacker to embed their own JavaScript into a Confluence page. All supported versions of Confluence are affected.

      More details are available in the advisory at https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-09-11

      Patch for versions older than 4.1.9

      Attached is a patch that will fix this XSS issue for versions of Confluence older than 4.1.9. This patch has also been tested against Confluence 3.5.16, and should work for all Confluence 3.5.x releases. However, as with any patch, this should be tested thoroughly first, and initially monitored after being installed in production.

      To install:

      1. Download the attached zip file
      2. Shutdown Confluence
      3. Move the zip file <installation-directory>/confluence/WEB-INF/classes
      4. Extract the zip file
      5. Verify that the file <installation-directory>/confluence/WEB-INF/classes/com/atlassian/confluence/servlet/ConfluenceVelocityServlet.class exists
      6. Restart Confluence for the change to take effect

      You can read more about applying patches here: https://confluence.atlassian.com/display/DOC/Installing+Patched+Class+Files

            [CONFSERVER-26366] Cross Site Scripting Vulnerability

            Hi netmen5,
            Version 6.x.x of Confluence should not be affected as this issue was fixed in version 4.1.9.

            David Black added a comment - Hi netmen5 , Version 6.x.x of Confluence should not be affected as this issue was fixed in version 4.1.9.

            Is this solution also for confluence 6.xx?

            Rafał Żydek added a comment - Is this solution also for confluence 6.xx?

            VitalyA added a comment -

            outscale, please raise a support request at http://support.atlassian.com. Removing the file will restore you to the vulnerable version, this file is the patched one.

            VitalyA added a comment - outscale , please raise a support request at http://support.atlassian.com . Removing the file will restore you to the vulnerable version, this file is the patched one.

            Sam Hall added a comment -

            We applied this patch on our 3.5.16 instance and it worked fine BTW.

            Sam Hall added a comment - We applied this patch on our 3.5.16 instance and it worked fine BTW.

            Sam Hall added a comment -

            Remove the file <installation-directory>/confluence/WEB-INF/classes/com/atlassian/confluence/servlet/ConfluenceVelocityServlet.class and restart.

            Sam Hall added a comment - Remove the file <installation-directory>/confluence/WEB-INF/classes/com/atlassian/confluence/servlet/ConfluenceVelocityServlet.class and restart.

            (by the way, we're on Confluence 3.5.16)

            Cédric Joly [OUTSCALE] added a comment - (by the way, we're on Confluence 3.5.16)

            Hi, the patch just screwed up our Confluence when applied :

            Sep 17, 2012 12:10:58 PM org.apache.catalina.core.StandardContext filterStart
            SEVERE: Exception starting filter security
            java.lang.RuntimeException: Could not load security config 'null': Exception configuring from 'seraph-config.xml'. : java.lang.IllegalArgumentException: No such XML file: seraph-config.xml
            at com.atlassian.seraph.config.SecurityConfigFactory.loadInstance(SecurityConfigFactory.java:60)
            at com.atlassian.seraph.config.SecurityConfigFactory.getInstance(SecurityConfigFactory.java:39)
            at com.atlassian.seraph.filter.SecurityFilter.init(SecurityFilter.java:49)
            at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:295)
            at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:422)
            at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:115)
            at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4071)
            at org.apache.catalina.core.StandardContext.start(StandardContext.java:4725)
            at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
            at org.apache.catalina.core.StandardHost.start(StandardHost.java:840)
            at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
            at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463)
            at org.apache.catalina.core.StandardService.start(StandardService.java:525)
            at org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
            at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            at java.lang.reflect.Method.invoke(Method.java:597)
            at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
            at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
            Caused by: com.atlassian.seraph.config.ConfigurationException: Exception configuring from 'seraph-config.xml'. : java.lang.IllegalArgumentException: No such XML file: seraph-config.xml
            at com.atlassian.seraph.config.SecurityConfigImpl.<init>(SecurityConfigImpl.java:170)
            at com.atlassian.seraph.config.SecurityConfigFactory.loadInstance(SecurityConfigFactory.java:56)
            ... 20 more
            Caused by: java.lang.IllegalArgumentException: No such XML file: seraph-config.xml
            at com.atlassian.seraph.config.SecurityConfigImpl.loadConfigXml(SecurityConfigImpl.java:182)
            at com.atlassian.seraph.config.SecurityConfigImpl.<init>(SecurityConfigImpl.java:96)
            ... 21 more
            Sep 17, 2012 12:10:58 PM org.apache.catalina.core.ApplicationContext log
            INFO: org.tuckey.web.filters.urlrewrite.utils.Log ERROR: logLevelConf: null
            Sep 17, 2012 12:10:58 PM org.apache.catalina.core.ApplicationContext log
            INFO: org.tuckey.web.filters.urlrewrite.UrlRewriteFilter INFO: loaded (conf ok)
            Sep 17, 2012 12:10:58 PM org.apache.catalina.core.StandardContext start
            SEVERE: Error filterStart
            Sep 17, 2012 12:10:58 PM org.apache.catalina.core.StandardContext start
            SEVERE: Context [] startup failed due to previous errors
            Sep 17, 2012 12:10:58 PM org.apache.catalina.core.ApplicationContext log
            INFO: org.tuckey.web.filters.urlrewrite.UrlRewriteFilter INFO: destroy called

            Cédric Joly [OUTSCALE] added a comment - Hi, the patch just screwed up our Confluence when applied : Sep 17, 2012 12:10:58 PM org.apache.catalina.core.StandardContext filterStart SEVERE: Exception starting filter security java.lang.RuntimeException: Could not load security config 'null': Exception configuring from 'seraph-config.xml'. : java.lang.IllegalArgumentException: No such XML file: seraph-config.xml at com.atlassian.seraph.config.SecurityConfigFactory.loadInstance(SecurityConfigFactory.java:60) at com.atlassian.seraph.config.SecurityConfigFactory.getInstance(SecurityConfigFactory.java:39) at com.atlassian.seraph.filter.SecurityFilter.init(SecurityFilter.java:49) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:295) at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:422) at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:115) at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4071) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4725) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardHost.start(StandardHost.java:840) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463) at org.apache.catalina.core.StandardService.start(StandardService.java:525) at org.apache.catalina.core.StandardServer.start(StandardServer.java:754) at org.apache.catalina.startup.Catalina.start(Catalina.java:595) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Caused by: com.atlassian.seraph.config.ConfigurationException: Exception configuring from 'seraph-config.xml'. : java.lang.IllegalArgumentException: No such XML file: seraph-config.xml at com.atlassian.seraph.config.SecurityConfigImpl.<init>(SecurityConfigImpl.java:170) at com.atlassian.seraph.config.SecurityConfigFactory.loadInstance(SecurityConfigFactory.java:56) ... 20 more Caused by: java.lang.IllegalArgumentException: No such XML file: seraph-config.xml at com.atlassian.seraph.config.SecurityConfigImpl.loadConfigXml(SecurityConfigImpl.java:182) at com.atlassian.seraph.config.SecurityConfigImpl.<init>(SecurityConfigImpl.java:96) ... 21 more Sep 17, 2012 12:10:58 PM org.apache.catalina.core.ApplicationContext log INFO: org.tuckey.web.filters.urlrewrite.utils.Log ERROR: logLevelConf: null Sep 17, 2012 12:10:58 PM org.apache.catalina.core.ApplicationContext log INFO: org.tuckey.web.filters.urlrewrite.UrlRewriteFilter INFO: loaded (conf ok) Sep 17, 2012 12:10:58 PM org.apache.catalina.core.StandardContext start SEVERE: Error filterStart Sep 17, 2012 12:10:58 PM org.apache.catalina.core.StandardContext start SEVERE: Context [] startup failed due to previous errors Sep 17, 2012 12:10:58 PM org.apache.catalina.core.ApplicationContext log INFO: org.tuckey.web.filters.urlrewrite.UrlRewriteFilter INFO: destroy called

              vosipov VitalyA
              vosipov VitalyA
              Affected customers:
              0 This affects my team
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: