Details
-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
6
-
Description
NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report.
As discovered while looking at CONF-20667, Confluence stores the space key unencoded in a content tag. Considerable functionality relies on this content tag. Eg Doc Theme breaks without it. Themes choice breaks without it.
To exploit it, create a user with html in the login name, then create a personal space as that user. Finally, use a decorator=none request param when viewing a page to see the content tags.
There are actually a few places that the space key isn't encoded, so removing the ability to pass "decorator=none" is probably not a complete fix.
Attachments
Issue Links
- is related to
-
CONFSERVER-20865 XSS vulnerability in space key, particularly with decorators off
- Closed