XSS vulnerability in recently updated and configure RSS feed actions

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Medium
    • 2.7
    • Affects Version/s: 2.5.7, 2.6.2, 2.7
    • Component/s: None
    • Environment:

      Tomcat 5.5
      jdk 1.5.0_11
      Linux 2.6.9-42.ELsmp

      Our eSecurity team has identified a Cross Site Scripting issue with the confluence server as follows:
      Arbirtatry javascript can be injected in the following cases which can lead to escalated or invalid privileges being granted to an unauthorized user:

      1) http://www.anyhost.com/confluence/pages/recentlyupdated.action?key=BE&%3E%27%22%3E%3Cscript%3Ealert%2856517%29%3C%2Fscript%3E=123
      This issue has been resolved in version 2.5.8 onwards. The rest of this report refers to the following issue.

      2) http://www.anyhost.com/confluence/dashboard/configurerssfeed.action/?>'"><script>alert("esec%20XSS%20attack")</script>

      We would like a patch to be created for these issues if they can not be resolved with a setting or configuration.

        1. AbstractHtmlGeneratingMacro.class
          6 kB
          Paul Curren

            Assignee:
            Paul Curren
            Reporter:
            jeff peichel
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: