Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 5.7, 5.6-OD-37-042
Affects Version/s: 5.6.3
Component/s: None
Labels:

CVSS Score:
4
Bug Fix Policy:
View Atlassian Server bug fix policy

This request:

<home>/plugins/recently-updated/changes.action?theme=XXXXXXXX

results in the response:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1412654577325
X-Seraph-LoginReason: OK
X-AUSERNAME: admin
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=UTF-8
Date: Tue, 07 Oct 2014 04:02:57 GMT
Content-Length: 277

    <ul>
            <li class="update-item update-item-error">XXXXXXXX
 no supported.</li>
        </ul>

Which in turn renders as a web page. This was an attacker can construct a web page and pretend it has come from Confluence. It is not possible to embed HTML tags.

Also, bad grammar

Reported by a customer.

mentioned in: Page Loading...

Assignee:: Hoang Nguyen (Inactive)

Reporter:: VitalyA

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 07/Oct/2014 4:08 AM

Updated:: 11/Oct/2018 8:48 AM

Resolved:: 22/Oct/2014 5:06 PM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates