Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-11985

XSS vulnerability in create/edit/copy page and blogpost actions

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Highest
    • 2.8.2
    • 2.8
    • None

    Description

      The following create/edit page URL's are vulnerable:

      • /pages/createpage.action
      • /pages/docreatepage.action
      • /pages/editpage.action
      • /pages/doeditepage.action

      on parentPageString

      Example of a maliciously crafted path:
      /pages/doeditpage.action?pageId=12345&parentPageString=Home%22%3e%3cscript%3ealert("XSS")%3c%2fscript%3e

      where 12345 is a valid page id.

      Patch instructions for 2.8.x

      1. Shut down Confluence
      2. Copy attached content-editor.vm to confluence/template/custom
      3. Start up Confluence

      Attachments

        1. content-editor.vm
          9 kB
          Chris Broadfoot [Atlassian]

        Issue Links

          is a regression of

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-11027 XSS vulnerabilities in create/edit/copy page and blogpost actions

          • Medium - Medium priority issues
          • Closed

          Activity

            People

              don.willis@atlassian.com Don Willis
              james.rinker James Rinker
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: