NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report.
There are various content-types which are unsafe to send as Content-Disposition: inline as they could be used to perform XSS attacks.
The known 'bad' content-types which confluence currently sends 'inline' include: 'application/x-shockwave-flash'(swf files) and 'image/svg+xml'(svg files).
- is related to
-
CONFSERVER-25873 Various persistent-xss vulnerabilities in attachment downloads
-
- Closed
-
- supersedes
-
CONFCLOUD-25488 persistent xss through svg file attachment download
-
- Closed
-
-
-
- Closed
-
1.
|
persistent xss through svg file attachment download |
|
Closed | Unassigned |
2.
|
persistent xss through flash swf file attachment download |
|
Closed | Unassigned |