Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-15397

Instant Messenger Macro XSS Vector

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Medium Medium
    • 3.0
    • None
    • None

    • Server: QA-EAC 3.0-m9-r2
      OS: Mac OS X 10.5.6
      Browser: Safari 3.2.1 (5525.27.1)

      Markup
      {im:<script>alert('Behind you!')</script>|service=aim}


      For some reason, it doesn't like the Numa Numa iframe.

        1. impresence-plugin-2.5.jar
          828 kB

            [CONFSERVER-15397] Instant Messenger Macro XSS Vector

            Anatoli added a comment -

            Hi Matthew,

            I have checked the changes in the plugin between version 2.3 and 2.5 and tested 2.5 with confluence 2.9.2. Version 2.5 works correctly with confluence 2.9.2, please download this version and install it through Administration > Plugin Manager.

            Anatoli.

            Anatoli added a comment - Hi Matthew, I have checked the changes in the plugin between version 2.3 and 2.5 and tested 2.5 with confluence 2.9.2. Version 2.5 works correctly with confluence 2.9.2, please download this version and install it through Administration > Plugin Manager . Anatoli.

            Matthew McVey added a comment - - edited

            Is version 2.5 of this plugin compatible with confluence 2.9.2? If not, can a patched version of this plugin (presumably 2.3.x) be provided that protects against this vulnerability? Thank you,

            Matthew McVey added a comment - - edited Is version 2.5 of this plugin compatible with confluence 2.9.2? If not, can a patched version of this plugin (presumably 2.3.x) be provided that protects against this vulnerability? Thank you,

            Igor Minar added a comment -

            thanks

            Igor Minar added a comment - thanks

            Andrew Lynch (Inactive) added a comment -

            Hi Igor,

            The repository metadata appears to be incorrect. It should be compatible with version 2.10.

            Regards,
            Andrew Lynch

            Andrew Lynch (Inactive) added a comment - Hi Igor, The repository metadata appears to be incorrect. It should be compatible with version 2.10. Regards, Andrew Lynch

            Igor Minar added a comment -

            Is the version 2.5 of this plugin compatible with confluence 2.10.3? The plugin page and the plugin repository says that it isn't, yet the security advisory says that there is a fix for 2.10.3.

            Igor Minar added a comment - Is the version 2.5 of this plugin compatible with confluence 2.10.3? The plugin page and the plugin repository says that it isn't, yet the security advisory says that there is a fix for 2.10.3.

            PdZ (Inactive) added a comment -

            Good work guys:

            PdZ (Inactive) added a comment - Good work guys:

            Andrew Lynch (Inactive) added a comment -

            http://developer.atlassian.com/jira/browse/PRES-23

            Andrew Lynch (Inactive) added a comment - http://developer.atlassian.com/jira/browse/PRES-23

            Per Fragemann [Atlassian] added a comment -

            Not a 3.0 specific bug, so removing the affects-version. Still needs to be fixed in 3.0 though IMO

            Per Fragemann [Atlassian] added a comment - Not a 3.0 specific bug, so removing the affects-version. Still needs to be fixed in 3.0 though IMO

              alynch Andrew Lynch (Inactive)
              pdzwart PdZ (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: