-
Bug
-
Resolution: Fixed
-
High
-
2.9
-
None
To reproduce this issue:
- create a user with username "><<script>alert('hahahaha')</script>
- create a personal space for this user
- create a page in the personal space with pagetree and/or pagetreesearch macro
Note that confluence does not work very well with such usernames so you would need to use actions directly when creating/viewing pages in the user space.
[CONFSERVER-17967] XSS vulnerability in pagetree and page macros
This is still exploitable with Page Tree plugin v1.13.
Follow the steps as described, then use markup:
{pagetree:searchBox=true}
Confluence Administrators — fixing this vulnerability:
This plugin has been bundled with Confluence since version 2.9. Version 1.13.1 of the Page Tree plugin contains this fix. Refer to PGTR-68 for more information. Version 1.13.1 of the Page Tree plugin is compatible with versions of Confluence back to 2.8.
Hence, to fix this vulnerability, please upgrade the version of this plugin in your Confluence installation, to at least 1.13.1.
To do this, go the 'Atlassian Plugin Repository' in your Confluence Administration console area and upgrade the 'AJAX PageTree Plugin' to version 1.13.1 (or greater).
Giles Gaskell [Atlassian]
added a comment - - edited Confluence Administrators — fixing this vulnerability:
This plugin has been bundled with Confluence since version 2.9. Version 1.13.1 of the Page Tree plugin contains this fix. Refer to PGTR-68 for more information. Version 1.13.1 of the Page Tree plugin is compatible with versions of Confluence back to 2.8.
Hence, to fix this vulnerability, please upgrade the version of this plugin in your Confluence installation, to at least 1.13.1.
To do this, go the 'Atlassian Plugin Repository' in your Confluence Administration console area and upgrade the 'AJAX PageTree Plugin' to version 1.13.1 (or greater). 
I reviewed the change in PGTR-68. Confluence has been updated to pagetree plugin version 1.13.1.