Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-10164

XSS vulnerability in recently updated and configure RSS feed actions

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Medium Medium
    • 2.7
    • 2.5.7, 2.6.2, 2.7
    • None

    • Tomcat 5.5
      jdk 1.5.0_11
      Linux 2.6.9-42.ELsmp

      Our eSecurity team has identified a Cross Site Scripting issue with the confluence server as follows:
      Arbirtatry javascript can be injected in the following cases which can lead to escalated or invalid privileges being granted to an unauthorized user:

      1) http://www.anyhost.com/confluence/pages/recentlyupdated.action?key=BE&%3E%27%22%3E%3Cscript%3Ealert%2856517%29%3C%2Fscript%3E=123
      This issue has been resolved in version 2.5.8 onwards. The rest of this report refers to the following issue.

      2) http://www.anyhost.com/confluence/dashboard/configurerssfeed.action/?>'"><script>alert("esec%20XSS%20attack")</script>

      We would like a patch to be created for these issues if they can not be resolved with a setting or configuration.

        1. AbstractHtmlGeneratingMacro.class
          6 kB

            [CONFSERVER-10164] XSS vulnerability in recently updated and configure RSS feed actions

            No work has yet been logged on this issue.

              pcurren Paul Curren
              06e277ee78c4 jeff peichel
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: