Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-16135

XSS vulnerability in space name when page move would create a duplicate

      1. Create a space called <script>alert("XSS");</script>
      2. Find a page named 'Home' in a different space
      3. Move this page, choosing the previously created space as the destination
      4. The move will fail due to the duplicate page name, and the script will be run.

        1. patch_2.10.x.zip
          6 kB
        2. patch_3.0.zip
          6 kB

            [CONFSERVER-16135] XSS vulnerability in space name when page move would create a duplicate

            Attached is a patch for Confluence 3.0 (if unable to upgrade to 3.0.1). To apply the patch you will need to extract the content of the zip archive into your <confluence> directory (the one containing /WEB-INF and /includes) and restart the server.

            Note that this patch also includes the fix for the related issue CONF-16019.

            David Taylor (Inactive) added a comment - Attached is a patch for Confluence 3.0 (if unable to upgrade to 3.0.1). To apply the patch you will need to extract the content of the zip archive into your <confluence> directory (the one containing /WEB-INF and /includes) and restart the server. Note that this patch also includes the fix for the related issue CONF-16019 .

            Attached is the patch for confluence 2.10.x. To apply the patch you will need to extract the content of the zip archive into your <confluence> directory (the one containing /WEB-INF and /includes) and restart the server.

            Note that this patch also includes the fix for the related issue CONF-16019.

            David Taylor (Inactive) added a comment - Attached is the patch for confluence 2.10.x. To apply the patch you will need to extract the content of the zip archive into your <confluence> directory (the one containing /WEB-INF and /includes) and restart the server. Note that this patch also includes the fix for the related issue CONF-16019 .

            Anatoli added a comment -

            David,

            Can you please attach a patch for 2.10?

            Anatoli added a comment - David, Can you please attach a patch for 2.10?

            Anatoli added a comment -

            Reviewed and tested the change. All good, but the change still needs to be committed to trunk.

            Anatoli added a comment - Reviewed and tested the change . All good, but the change still needs to be committed to trunk.

              dave@atlassian.com dave (Inactive)
              mhrynczak Mark Hrynczak (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: