Uploaded image for project: 'Confluence Cloud'
  1. Confluence Cloud
  2. CONFCLOUD-20865

XSS vulnerability in space key, particularly with decorators off

    XMLWordPrintable

Details

    Description

      NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report.

      As discovered while looking at CONF-20667, Confluence stores the space key unencoded in a content tag. Considerable functionality relies on this content tag. Eg Doc Theme breaks without it. Themes choice breaks without it.

      To exploit it, create a user with html in the login name, then create a personal space as that user. Finally, use a decorator=none request param when viewing a page to see the content tags.

      There are actually a few places that the space key isn't encoded, so removing the ability to pass "decorator=none" is probably not a complete fix.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-20865 XSS vulnerability in space key, particularly with decorators off

          • Medium - Medium priority issues
          • Closed

          Activity

            People

              jxie Chii
              don.willis@atlassian.com Don Willis
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 16h
                  16h
                  Remaining:
                  Remaining Estimate - 16h
                  16h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified