[CONFSERVER-15440] XSS vulnerability can be exploited with the contentbylabel macro

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 3.0.2, 3.1-m3
Affects Version/s: 2.10
Component/s: Editor - Page / Comment Editor
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Use markup:

{contentbylabel:labels=foo|title=<script>alert('Vulnerable')</script>}

The script will be executed when the page is viewed.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

confluence-advanced-macros-1.5.3.5.jar
128 kB
01/Oct/2009 1:44 AM

David Taylor (Inactive) added a comment - 01/Oct/2009 1:44 AM

Confluence 2.10.x users can install the attached plugin jar (version 1.5.3.5) to fix this issue.

David Taylor (Inactive) added a comment - 01/Oct/2009 1:44 AM Confluence 2.10.x users can install the attached plugin jar (version 1.5.3.5) to fix this issue.

David Taylor (Inactive) added a comment - 17/Sep/2009 5:57 AM - edited

I have tested version 1.6.4 on Confluence 3.0.1 and it works correctly. Anyone on 3.0.x should be able to upgrade the plugin to fix this issue.

David Taylor (Inactive) added a comment - 17/Sep/2009 5:57 AM - edited I have tested version 1.6.4 on Confluence 3.0.1 and it works correctly. Anyone on 3.0.x should be able to upgrade the plugin to fix this issue.

Ryan Ericson [Atlassian] added a comment - 28/Aug/2009 7:07 AM

To fix this bug please upgrade confluence-advanced-macros to 1.6.4.

Ryan Ericson [Atlassian] added a comment - 28/Aug/2009 7:07 AM To fix this bug please upgrade confluence-advanced-macros to 1.6.4.

Ryan Ericson [Atlassian] added a comment - 19/Aug/2009 3:49 AM

the corresponding issue in the plugin project: http://developer.atlassian.com/jira/browse/ADVMACROS-126

Ryan Ericson [Atlassian] added a comment - 19/Aug/2009 3:49 AM the corresponding issue in the plugin project: http://developer.atlassian.com/jira/browse/ADVMACROS-126

Assignee:: Unassigned

Reporter:: Mark Hrynczak (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 0 Start watching this issue

Created:: 30/Apr/2009 8:48 AM

Updated:: 11/Oct/2018 8:45 AM

Resolved:: 09/Sep/2009 5:38 AM

Details

Description

Attachments

Attachments

Forms

Activity

Collapse comment: David Taylor (Inactive) added a comment - 01/Oct/2009 1:44 AM

Expand comment: David Taylor (Inactive) added a comment - 01/Oct/2009 1:44 AM

Collapse comment: David Taylor (Inactive) added a comment - 17/Sep/2009 5:57 AM, Edited by David Taylor - 17/Sep/2009 6:47 AM

Expand comment: David Taylor (Inactive) added a comment - 17/Sep/2009 5:57 AM, Edited by David Taylor - 17/Sep/2009 6:47 AM

Collapse comment: Ryan Ericson [Atlassian] added a comment - 28/Aug/2009 7:07 AM

Expand comment: Ryan Ericson [Atlassian] added a comment - 28/Aug/2009 7:07 AM

Collapse comment: Ryan Ericson [Atlassian] added a comment - 19/Aug/2009 3:49 AM

Expand comment: Ryan Ericson [Atlassian] added a comment - 19/Aug/2009 3:49 AM

People

Dates