Details
-
Bug
-
Resolution: Fixed
-
Medium
-
2.5.7, 2.6.2, 2.7
-
None
-
Tomcat 5.5
jdk 1.5.0_11
Linux 2.6.9-42.ELsmp
Description
Our eSecurity team has identified a Cross Site Scripting issue with the confluence server as follows:
Arbirtatry javascript can be injected in the following cases which can lead to escalated or invalid privileges being granted to an unauthorized user:
1) http://www.anyhost.com/confluence/pages/recentlyupdated.action?key=BE&%3E%27%22%3E%3Cscript%3Ealert%2856517%29%3C%2Fscript%3E=123
This issue has been resolved in version 2.5.8 onwards. The rest of this report refers to the following issue.
2) http://www.anyhost.com/confluence/dashboard/configurerssfeed.action/?>'"><script>alert("esec%20XSS%20attack")</script>
We would like a patch to be created for these issues if they can not be resolved with a setting or configuration.