NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report.
We have identified and fixed a cross-site scripting (XSS) vulnerability that affect Confluence instances, including publicly available instances (that is, Internet-facing servers). XSS vulnerabilities allow an attacker to embed their own JavaScript into a Confluence page. All supported versions of Confluence are affected.
More details are available in the advisory at https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-09-11
Patch for versions older than 4.1.9
Attached is a patch that will fix this XSS issue for versions of Confluence older than 4.1.9. This patch has also been tested against Confluence 3.5.16, and should work for all Confluence 3.5.x releases. However, as with any patch, this should be tested thoroughly first, and initially monitored after being installed in production.
To install:
1. Download the attached zip file
2. Shutdown Confluence
3. Move the zip file <installation-directory>/confluence/WEB-INF/classes
4. Extract the zip file
5. Verify that the file <installation-directory>/confluence/WEB-INF/classes/com/atlassian/confluence/servlet/ConfluenceVelocityServlet.class exists
6. Restart Confluence for the change to take effect
You can read more about applying patches here: https://confluence.atlassian.com/display/DOC/Installing+Patched+Class+Files
- is related to
-
CONFSERVER-26366 Cross Site Scripting Vulnerability
-
- Closed
-
[CONFCLOUD-26366] Cross Site Scripting Vulnerability
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2364226 ] | New: JAC Bug Workflow v3 [ 3402209 ] |
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 [ 2235656 ] | New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2364226 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2200601 ] | New: Confluence Workflow - Public Facing - Restricted v5 [ 2235656 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2144569 ] | New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2200601 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 [ 1897537 ] | New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2144569 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v3 [ 1779327 ] | New: Confluence Workflow - Public Facing - Restricted v5 [ 1897537 ] |
| Description |
Original:
We have identified and fixed a cross-site scripting (XSS) vulnerability that affect Confluence instances, including publicly available instances (that is, Internet-facing servers). XSS vulnerabilities allow an attacker to embed their own JavaScript into a Confluence page. All supported versions of Confluence are affected. More details are available in the advisory at https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-09-11 *Patch for versions older than 4.1.9* Attached is a patch that will fix this XSS issue for versions of Confluence older than 4.1.9. This patch has also been tested against Confluence 3.5.16, and should work for all Confluence 3.5.x releases. However, as with any patch, this should be tested thoroughly first, and initially monitored after being installed in production. To install: 1. Download the attached zip file 2. Shutdown Confluence 3. Move the zip file <installation-directory>/confluence/WEB-INF/classes 4. Extract the zip file 5. Verify that the file <installation-directory>/confluence/WEB-INF/classes/com/atlassian/confluence/servlet/ConfluenceVelocityServlet.class exists 6. Restart Confluence for the change to take effect You can read more about applying patches here: https://confluence.atlassian.com/display/DOC/Installing+Patched+Class+Files |
New:
{panel:bgColor=#e7f4fa} *NOTE:* This bug report is for *Confluence Cloud*. Using *Confluence Server*? [See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-26366]. {panel} We have identified and fixed a cross-site scripting (XSS) vulnerability that affect Confluence instances, including publicly available instances (that is, Internet-facing servers). XSS vulnerabilities allow an attacker to embed their own JavaScript into a Confluence page. All supported versions of Confluence are affected. More details are available in the advisory at https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-09-11 *Patch for versions older than 4.1.9* Attached is a patch that will fix this XSS issue for versions of Confluence older than 4.1.9. This patch has also been tested against Confluence 3.5.16, and should work for all Confluence 3.5.x releases. However, as with any patch, this should be tested thoroughly first, and initially monitored after being installed in production. To install: 1. Download the attached zip file 2. Shutdown Confluence 3. Move the zip file <installation-directory>/confluence/WEB-INF/classes 4. Extract the zip file 5. Verify that the file <installation-directory>/confluence/WEB-INF/classes/com/atlassian/confluence/servlet/ConfluenceVelocityServlet.class exists 6. Restart Confluence for the change to take effect You can read more about applying patches here: https://confluence.atlassian.com/display/DOC/Installing+Patched+Class+Files |
| Link |
New:
This issue is related to |
| Project Import | New: Sat Apr 01 14:06:06 UTC 2017 [ 1491055566265 ] |