-
Bug
-
Resolution: Fixed
-
Highest
-
2.9.2, 2.10.3, 3.0
-
None
- Create a space called <script>alert("XSS");</script>
- Find a page named 'Home' in a different space
- Move this page, choosing the previously created space as the destination
- The move will fail due to the duplicate page name, and the script will be run.
- is related to
-
CONFSERVER-16019 XSS vulnerability when moving page between spaces
-
- Closed
-
Attached is a patch for Confluence 3.0 (if unable to upgrade to 3.0.1). To apply the patch you will need to extract the content of the zip archive into your <confluence> directory (the one containing /WEB-INF and /includes) and restart the server.
Note that this patch also includes the fix for the related issue
CONF-16019.