[CONFSERVER-11153] XSS vulnerability in social bookmarking plugin bundled in Confluence

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 2.7.3
Affects Version/s: 2.6.2, 2.7.2
Component/s: None
Labels:
- affects-server
- security

Bug Fix Policy:
View Atlassian Server bug fix policy

The social bookmarking plugin is bundled in Confluence 2.7.x and Confluence 2.6.x. As such this vulnerability affects all 2.7.x and 2.6.x instances (even if you do not use the plugin or do not have the Add Bookmark Web Item enabled).

The updatebookmark.action URL is vulnerable on these parameters:

bookmarkPageId
redirect
labelsString

The JIRA issue created in the developer.atlassian.com project for this plugin can be found here: http://developer.atlassian.com/jira/browse/MARK-60.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

socialbookmarking-1.0.6-patched.jar
18/Mar/2008 5:13 AM
59 kB
dave
socialbookmarking-1.1.1.jar
18/Mar/2008 4:41 AM
61 kB
dave

Katherine Yabut made changes - 13/Nov/2018 4:44 AM

Workflow

Original: JAC Bug Workflow v3 [ 2897761 ]

New: CONFSERVER Bug Workflow v4 [ 2992307 ]

Owen made changes - 11/Oct/2018 9:04 AM

Workflow	Original: JAC Bug Workflow v2 [ 2789656 ]	New: JAC Bug Workflow v3 [ 2897761 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 29/Aug/2018 11:16 PM

Workflow

Original: JAC Bug Workflow [ 2731975 ]

New: JAC Bug Workflow v2 [ 2789656 ]

Owen made changes - 02/Jul/2018 7:08 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2397268 ]

New: JAC Bug Workflow [ 2731975 ]

Katherine Yabut made changes - 22/Jun/2017 6:52 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 2294428 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2397268 ]

Katherine Yabut made changes - 31/May/2017 5:38 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2230856 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 2294428 ]

Katherine Yabut made changes - 31/May/2017 4:59 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2189369 ]

New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2230856 ]

Katherine Yabut made changes - 31/May/2017 2:04 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 1919820 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2189369 ]

Katherine Yabut made changes - 03/Apr/2017 3:56 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v3 [ 1729772 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 1919820 ]

Katherine Yabut made changes - 28/Feb/2017 6:34 AM

Workflow

Original: CONF Bug Subtask WF (TEMP) [ 1682864 ]

New: Confluence Workflow - Public Facing - Restricted v3 [ 1729772 ]

Assignee:: dave (Inactive)

Reporter:: dave (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 0 Start watching this issue

Created:: 18/Mar/2008 4:38 AM

Updated:: 11/Oct/2018 9:04 AM

Resolved:: 18/Mar/2008 4:41 AM

Details

Description

Attachments

Attachments

Forms

Activity

People

Dates